feat(eks): install helm chart from asset (#17217)

Adding on to the work @plumdog started on #13496 and @pradoz in #15899.  Implemented the @iliapolo's [suggested changes](https://github.com/aws/aws-cdk/pull/15899/files#r683431181)

Related to #9273

### Use Case

To be able to use private helm charts without needing a private chart repository.

### Proposed Solution

[Allow helm charts](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.HelmChart.html) to be an asset by introducing the property `chartAsset`.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: cmckni3

packages/@aws-cdk/aws-eks/README.md

@@ -1113,6 +1113,21 @@ are being passed down (such as `repo`, `values`, `version`, `namespace`, `wait`,
 This means that if the chart is added to CDK with the same release name, it will try to update
 the chart in the cluster.
 
+Additionally, the `chartAsset` property can be an `aws-s3-assets.Asset`. This allows the use of local, private helm charts.
+
+```ts
+import * as s3Assets from '@aws-cdk/aws-s3-assets';
+
+declare const cluster: eks.Cluster;
+const chartAsset = new s3Assets.Asset(this, 'ChartAsset', {
+  path: '/path/to/asset'
+});
+
+cluster.addHelmChart('test-chart', {
+  chartAsset: chartAsset,
+});
+```
+
 Helm charts are implemented as CloudFormation resources in CDK.
 This means that if the chart is deleted from your code (or the stack is
 deleted), the next `cdk deploy` will issue a `helm uninstall` command and the

packages/@aws-cdk/aws-eks/lib/helm-chart.ts

@@ -1,3 +1,4 @@
+import { Asset } from '@aws-cdk/aws-s3-assets';
 import { CustomResource, Duration, Names, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { ICluster } from './cluster';
@@ -14,8 +15,11 @@ import { Construct as CoreConstruct } from '@aws-cdk/core';
 export interface HelmChartOptions {
   /**
    * The name of the chart.
+   * Either this or `chartAsset` must be specified.
+   *
+   * @default - No chart name. Implies `chartAsset` is used.
    */
-  readonly chart: string;
+  readonly chart?: string;
 
   /**
    * The name of the release.
@@ -35,6 +39,14 @@ export interface HelmChartOptions {
    */
   readonly repository?: string;
 
+  /**
+  * The chart in the form of an asset.
+  * Either this or `chart` must be specified.
+  *
+  * @default - No chart asset. Implies `chart` is used.
+  */
+  readonly chartAsset?: Asset;
+
   /**
    * The Kubernetes namespace scope of the requests.
    * @default default
@@ -102,11 +114,23 @@ export class HelmChart extends CoreConstruct {
       throw new Error('Helm chart timeout cannot be higher than 15 minutes.');
     }
 
+    if (!props.chart && !props.chartAsset) {
+      throw new Error("Either 'chart' or 'chartAsset' must be specified to install a helm chart");
+    }
+
+    if (props.chartAsset && (props.repository || props.version)) {
+      throw new Error(
+        "Neither 'repository' nor 'version' can be used when configuring 'chartAsset'",
+      );
+    }
+
     // default not to wait
     const wait = props.wait ?? false;
     // default to create new namespace
     const createNamespace = props.createNamespace ?? true;
 
+    props.chartAsset?.grantRead(provider.handlerRole);
+
     new CustomResource(this, 'Resource', {
       serviceToken: provider.serviceToken,
       resourceType: HelmChart.RESOURCE_TYPE,
@@ -115,6 +139,7 @@ export class HelmChart extends CoreConstruct {
         RoleArn: provider.roleArn, // TODO: bake into the provider's environment
         Release: props.release ?? Names.uniqueId(this).slice(-53).toLowerCase(), // Helm has a 53 character limit for the name
         Chart: props.chart,
+        ChartAssetURL: props.chartAsset?.s3ObjectUrl,
         Version: props.version,
         Wait: wait || undefined, // props are stringified so we encode “false” as undefined
         Timeout: timeout ? `${timeout.toString()}s` : undefined, // Helm v3 expects duration instead of integer

packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py

@@ -2,6 +2,9 @@
 import logging
 import os
 import subprocess
+import shutil
+import zipfile
+from urllib.parse import urlparse, unquote
 
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
@@ -12,6 +15,16 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+def get_chart_asset_from_url(chart_asset_url):
+    chart_zip = os.path.join(outdir, 'chart.zip')
+    shutil.rmtree(chart_zip, ignore_errors=True)
+    subprocess.check_call(['aws', 's3', 'cp', chart_asset_url, chart_zip])
+    chart_dir = os.path.join(outdir, 'chart')
+    shutil.rmtree(chart_dir, ignore_errors=True)
+    os.mkdir(chart_dir)
+    with zipfile.ZipFile(chart_zip, 'r') as zip_ref:
+        zip_ref.extractall(chart_dir)
+    return chart_dir
 
 def helm_handler(event, context):
     logger.info(json.dumps(event))
@@ -20,17 +33,18 @@ def helm_handler(event, context):
     props = event['ResourceProperties']
 
     # resource properties
-    cluster_name = props['ClusterName']
-    role_arn     = props['RoleArn']
-    release      = props['Release']
-    chart        = props['Chart']
-    version      = props.get('Version', None)
-    wait         = props.get('Wait', False)
-    timeout      = props.get('Timeout', None)
-    namespace    = props.get('Namespace', None)
+    cluster_name     = props['ClusterName']
+    role_arn         = props['RoleArn']
+    release          = props['Release']
+    chart            = props.get('Chart', None)
+    chart_asset_url  = props.get('ChartAssetURL', None)
+    version          = props.get('Version', None)
+    wait             = props.get('Wait', False)
+    timeout          = props.get('Timeout', None)
+    namespace        = props.get('Namespace', None)
     create_namespace = props.get('CreateNamespace', None)
-    repository   = props.get('Repository', None)
-    values_text  = props.get('Values', None)
+    repository       = props.get('Repository', None)
+    values_text      = props.get('Values', None)
 
     # "log in" to the cluster
     subprocess.check_call([ 'aws', 'eks', 'update-kubeconfig',
@@ -51,6 +65,19 @@ def helm_handler(event, context):
             f.write(json.dumps(values, indent=2))
 
     if request_type == 'Create' or request_type == 'Update':
+        # Ensure chart or chart_asset_url are set
+        if chart == None and chart_asset_url == None:
+            raise RuntimeError(f'chart or chartAsset must be specified')
+
+        if chart_asset_url != None:
+            assert(chart==None)
+            assert(repository==None)
+            assert(version==None)
+            if not chart_asset_url.startswith('s3://'):
+              raise RuntimeError(f'ChartAssetURL must point to as s3 location but is {chart_asset_url}')
+            # future work: support versions from s3 assets
+            chart = get_chart_asset_from_url(chart_asset_url)
+
         helm('upgrade', release, chart, repository, values_file, namespace, version, wait, timeout, create_namespace)
     elif request_type == "Delete":
         try:

packages/@aws-cdk/aws-eks/package.json

@@ -97,6 +97,7 @@
   "dependencies": {
     "@aws-cdk/aws-autoscaling": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
@@ -116,6 +117,7 @@
   "peerDependencies": {
     "@aws-cdk/aws-autoscaling": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",