We have the requirement to deploy the helm chart from the ECR or S3 repo. But during deployment, we found that the qs helm resource provider doesn't support ecr or s3 protocol. Is there any plan to add support for any of them for the AWS deployment or any other workaround because currently, we have to manually modify the helm repo index.yaml file to change the protocol from s3 to https ?

Can you pass the chart in this format to download images from ECR. Foe S3 you can use s3://<bucket>/<key> .

Thanks, Arun.
Let me try. I Will check and update.

Arun,

I updated the CF helm resource provider plugin to the latest version & tested it by specifying the chart value to

oci://account-id.dkr.ecr.region.amazonaws.com/repo-name:chartName

but it didn't work & getting the below error

2021/07/04 03:03:03 Error: At Downloading - pull failed account-id.dkr.ecr.region.amazonaws.com/reponame:chartname, Error: unexpected status code [manifests chartName]: 400 Bad Request

I had followed the instruction provided on this page to push the helm charts to the ECR repo - https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html

Just to check if the charts are pushed correctly to the ECR repo or not. I tried with another open-source helm plugin that supports ECR protocol and successfully installed the charts from the ECR.

ECR Plugin - https://github.com/vetyy/helm-ecr

CLI command to install the helm chart from ECR -

helm install releaseName ecr://account-id.dkr.ecr.region.amazonaws.com/repo-name/chartName --namespace --create-namespace

Since we need to install the helm charts via CF template, Could you please provide your inputs on the error,
2021/07/04 03:03:03 Error: At Downloading - pull failed account-id.dkr.ecr.region.amazonaws.com/reponame:chartname, Error: unexpected status code [manifests chartName]: 400 Bad Request

Amit, can you share me the logs provider ? Also, the permission of the IAM role used for the provider?

Arun,

Sorry didn't get you, What you mean by the logs provider?

I think you are asking about the IAM role/policy attached to the plugin. IAM policy does have the ECR permissions. As are getting 400 Bad requests, I suspect this issue has to do with the request.

RegisterHelmType:
DependsOn: ArtifactCopyPolicy
Type: Custom::RegisterType
Properties:
ServiceToken: !GetAtt RegisterTypeFunction.Arn
TypeName: "AWSQS::Kubernetes::Helm"
Version: "3.0.10"
RandomStr: !Ref RandomStr
SchemaHandlerPackage: !Sub ["s3://${Prefix}-lambdazips-${AWS::Region}-${AWS::AccountId}/${QSS3KeyPrefix}functions/packages/HelmReleaseResource/awsqs-kubernetes-helm.zip", {Prefix: !FindInMap [Config, Prefix, Value]}]
IamPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "secretsmanager:GetSecretValue"
- "kms:Decrypt"
- "eks:DescribeCluster"
- "s3:GetObject"
- "sts:AssumeRole"
- "iam:PassRole"
- "iam:ListRolePolicies"
- "iam:ListAttachedRolePolicies"
- "iam:GetRole"
- "iam:GetPolicy"
- "iam:GetPolicyVersion"
- "ec2:CreateNetworkInterface"
- "ec2:DeleteNetworkInterface"
- "ec2:Describe*"
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "lambda:"
- "cloudformation:ListExports" # required for fetching contract test inputs
- "ecr:GetAuthorizationToken" # required for fetching charts from ECR
- "ecr:BatchCheckLayerAvailability" # required for fetching charts from ECR
- "ecr:GetDownloadUrlForLayer" # required for fetching charts from ECR
- "ecr:BatchGetImage" # required for fetching charts from ECR
Resource: ""

Amit, The provider logs will in CloudWatch logs (cloudformation/registry/awsqs-kubernetes-helm). I assume the resource is configured as *.

Also, I would like to request few more details from you,

• aws ecr describe-images output of the chart you are trying to pull.
• Do you see any errors in the CloudTrails?
• Do you trying to pull the image from same account ?

Arun,

Thanks for your quick reply!

Yes, the resource is configured as "*".

Regarding cloud watch logs, I will again try to reproduce the issue & will share the details by tomorrow.

Below error logs shared earlier were from the cloud watch output.
2021/07/04 03:03:03 Error: At Downloading - pull failed account-id.dkr.ecr.region.amazonaws.com/reponame:chartname, Error: unexpected status code [manifests chartName]: 400 Bad Request

1. I don't see any errors in the CloudTrails.

2. Yes, I am trying to pull the image from the same account but from a different region.

3. aws ecr describe-images --repository-name ztna-helm --region ap-southeast-1
   {
   "imageDetails": [
   {
   "registryId": "accountId",
   "repositoryName": "ztna-helm",
   "imageDigest": "sha256:151bac29a04e000e2339d1ad7b585f5a59bd7f97bcb143843ad4b60747510512",
   "imageTags": [
   "ztna"
   ],
   "imageSizeInBytes": 99584,
   "imagePushedAt": "2021-07-04T07:39:26+05:30",
   "imageManifestMediaType": "application/vnd.oci.image.manifest.v1+json",
   "artifactMediaType": "application/vnd.cncf.helm.config.v1+json"
   }
   ]
   }

Amit, the cross region was causing the issue. I have pushed the fix in release v1.1.1.

Thanks a lot, Arun!
I'll test the fix and update you.

Thanks Arun, It works!

Helm charts from ECR is not working in the case of cross-account access. Is there any plan to address the same?