Allow Helm to automatically install from a chart stored in an ECR repository

[allamand]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
What do you want us to build? I would like a mechanism that would allow me to simply uses helm cli to install a chart stored in a ECR Repository.

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I want to be able to deploy some helm charts that are stored in an ECR repository (following this guidlines) from a CDK application.

Currently it is not possible helm sends back an error:

Failed to update resource. Error: b'Error: could not find protocol handler for: \n'

Are you currently working around this issue?
How are you currently solving this problem?

Not deploying using CDK, and following this 3 steps procedure

Additional context
Anything else we should know?

It is also not possible to add the ECR repo as helm repo

helm repo add myrepo <account_id>.dkr.ecr.eu-west-1.amazonaws.com/myrepo     
Error: could not find protocol handler for:

[pahud]

Hi @allamand

aws-eks construct in AWS CDK comes with the helm kubectl-handler that executes the helm command to create custom resources as HelmChart construct.

The provider of the HelmChart can be found here:

At this moment, when the HelmChart custom resources are created or updated, it runs helm upgrade under the hood.

I believe if the native helm executable has native support for ECR, it's absolutely possible to extend the HelmChart AWS CDK construct to support this.

Would be great to open an issue for AWS CDK and reference back to this one.

[allamand]

Hi @pahud Thanks for the informations.
If I understand well, at this time Helm is not nattively supporting ECR repo and we can rely and the 3 steps:

helm chart pull account.dkr.ecr.eu-west-1.amazonaws.com/repo_name:chart_name
helm chart export account.dkr.ecr.eu-west-1.amazonaws.com/repo_name:chart_name

Then the helm upgrade could work with locally stores chart

'helm', 'upgrade', 'release_name', 'chart_name', '--install',  #'--create-namespace', '--values', '/tmp/values.yaml', '--namespace', 'kube-system', '--kubeconfig', '/tmp/kubeconfig'

But I'm not sur If we need to make this 3 steps available in the HelmChart provider for CDK or find a way to make helm able to work natively with ECR.

[mdipirro]

We came across the very same issue today. Apparently, neither a private repository nor a public one can be used from within a CDK application. Is there any news on it?

[jlbutler]

Using the OCI registry support in the Helm client, you can install a chart directly from ECR. This has been an experimental feature in Helm for a while, but is now GA in the v3.8.0 release.

Btw, I found this because I went to see how I could help out with OCI regsitry support getting to GA in Helm, and it's already released. Thanks Helm community!

For ECR docs, check out how to push OCI artifacts, and how to use Helm charts from ECR with EKS.

Note that using an OCI registry vs a traditional Helm repo is a different way to work with Helm, so be aware of the differences. A Helm repo is backed by a single piece of storage (e.g. a single s3 bucket), where you can push as many charts of as many versions as you like to a single storage space. Using a registry with Helm works more like working with images, so each chart will likely have its own repository, and each chart version will use a tag in that repository.

Here's a quick example, using helm 3.8.0:

$ export AWS_REGION=aws-region
$ export AWS_ACCOUNT_ID=aws-account-id

$ aws ecr create-repository --repository-name my-chart --region ${AWS_REGION}

$ aws ecr get-login-password --region ${AWS_REGION} |
helm registry login
--username AWS
--password-stdin${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com

$ helm push my-chart-0.1.tgz oci://${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com

$ helm install helm-test-chart-ga oci://${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/my-chart --version 0.1

[alexef]

Can this be closed given @jlbutler's answer above?

[joebowbeer]

@jlbutler has anyone demo'd ECR pull-through caching for OCI helm registries? If not and this makes sense, then I'll create an RFE.

[jlbutler]

nothing like a months-late reply... sorry I missed the pings! Yes, we can close this one out. I hesitate to mark it shipped because it was really Helm adopting OCI that did the trick.

@joebowbeer yes, ECR Pull through cache works for Helm charts. Let us know if you see any issues with it!