fix(eks): malformed command when installing helm chart from OCI artifact (#19778)

tsahiduek · web-flow · commit f8babb8f0f88 · 2022-04-07T14:44:58.000Z
When using helm to pull OCI artifacts, the helm pull command doesn't works well. The [check_output](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess) uses shell=True. That means that all arguments of the commands being passed to the check_output are basically been passed to the shell and not to the helm pull command. Using shell is also discouraged from [security perspective](https://docs.python.org/3/library/subprocess.html#security-considerations) References: https://docs.python.org/3/library/subprocess.html > On POSIX with shell=True, the shell defaults to /bin/sh. If args is a string, the string specifies the command to execute through the shell. This means that the string must be formatted exactly as it would be when typed at the shell prompt. This includes, for example, quoting or backslash escaping filenames with spaces in them. If args is a sequence, the first item specifies the command string, and any additional items will be treated as additional arguments to the shell itself. https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess The previous change that used the `Shell=True` was introduced in commit - #18547 (comment) EDIT: Adding commit for the following items: - Adding integration test for helm OCI support in aws-eks - Upgrading helm version to 3.8.1 in `aws-lambda-layer` because of issues with the current version of helm that is been used, for OCI chart supports - update `integ.eks-helm-asset.expected.json` file ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) - NO new unconventional dependencies ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? - NO * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? - NO *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py
@@ -108,7 +108,7 @@ def get_oci_cmd(repository, version):
             ]
     else:
         logger.info("Non AWS OCI repository found")
-        cmnd = ['HELM_EXPERIMENTAL_OCI=1', 'helm', 'pull', repository, '--version', version, '--untar']
+        cmnd = ['helm', 'pull', repository, '--version', version, '--untar']
 
     return cmnd
 
@@ -123,7 +123,7 @@ def get_chart_from_oci(tmpdir, release, repository = None, version = None):
         try:
             logger.info(cmnd)
             env = get_env_with_oci_flag()
-            output = subprocess.check_output(cmnd, stderr=subprocess.STDOUT, cwd=tmpdir, env=env, shell=True)
+            output = subprocess.check_output(cmnd, stderr=subprocess.STDOUT, cwd=tmpdir, env=env)
             logger.info(output)
 
             return os.path.join(tmpdir, release)
diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.expected.json
@@ -1075,6 +1075,37 @@
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete"
     },
+    "Clustercharttestocichart9C188967": {
+      "Type": "Custom::AWSCDK-EKS-HelmChart",
+      "Properties": {
+        "ServiceToken": {
+          "Fn::GetAtt": [
+            "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B",
+            "Outputs.awscdkekshelmtestawscdkawseksKubectlProviderframeworkonEvent9D93C644Arn"
+          ]
+        },
+        "ClusterName": {
+          "Ref": "Cluster9EE0221C"
+        },
+        "RoleArn": {
+          "Fn::GetAtt": [
+            "ClusterCreationRole360249B6",
+            "Arn"
+          ]
+        },
+        "Release": "s3-chart",
+        "Chart": "s3-chart",
+        "Version": "v0.0.19",
+        "Namespace": "ack-system",
+        "Repository": "oci://public.ecr.aws/aws-controllers-k8s/s3-chart",
+        "CreateNamespace": true
+      },
+      "DependsOn": [
+        "ClusterKubectlReadyBarrier200052AF"
+      ],
+      "UpdateReplacePolicy": "Delete",
+      "DeletionPolicy": "Delete"
+    },
     "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454": {
       "Type": "AWS::CloudFormation::Stack",
       "Properties": {
@@ -1171,7 +1202,7 @@
               },
               "/",
               {
-                "Ref": "AssetParameters6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0S3Bucket4C69A575"
+                "Ref": "AssetParameters0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289efS3Bucket2C1AF85C"
               },
               "/",
               {
@@ -1181,7 +1212,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0S3VersionKeyCD3DAD60"
+                        "Ref": "AssetParameters0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289efS3VersionKey27D35864"
                       }
                     ]
                   }
@@ -1194,7 +1225,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0S3VersionKeyCD3DAD60"
+                        "Ref": "AssetParameters0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289efS3VersionKey27D35864"
                       }
                     ]
                   }
@@ -1219,11 +1250,11 @@
           "referencetoawscdkekshelmtestAssetParametersd65fbdc11b108e0386ed8577c454d4544f6d4e7960f84a0d2e211478d6324dbfS3Bucket5EAB45FARef": {
             "Ref": "AssetParametersd65fbdc11b108e0386ed8577c454d4544f6d4e7960f84a0d2e211478d6324dbfS3BucketBFD29DFB"
           },
-          "referencetoawscdkekshelmtestAssetParametersa70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8S3BucketC59436A3Ref": {
-            "Ref": "AssetParametersa70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8S3Bucket4CD5FFC3"
+          "referencetoawscdkekshelmtestAssetParameters07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963S3BucketEC27A5F2Ref": {
+            "Ref": "AssetParameters07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963S3Bucket9BDF5881"
           },
-          "referencetoawscdkekshelmtestAssetParametersa70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8S3VersionKey5ECB4296Ref": {
-            "Ref": "AssetParametersa70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8S3VersionKeyE06BA291"
+          "referencetoawscdkekshelmtestAssetParameters07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963S3VersionKey5772F015Ref": {
+            "Ref": "AssetParameters07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963S3VersionKey63AC53A2"
           },
           "referencetoawscdkekshelmtestVpcPrivateSubnet1Subnet3D2B5C0BRef": {
             "Ref": "VpcPrivateSubnet1Subnet536B997A"
@@ -1246,11 +1277,11 @@
           "referencetoawscdkekshelmtestAssetParameters92c405c4551a308bcdd55823f8b16268bd3c38fd2a011edaaf3ed72a80f557c4S3VersionKey149985B9Ref": {
             "Ref": "AssetParameters92c405c4551a308bcdd55823f8b16268bd3c38fd2a011edaaf3ed72a80f557c4S3VersionKeyEF78B2AD"
           },
-          "referencetoawscdkekshelmtestAssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3Bucket355FB348Ref": {
-            "Ref": "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998"
+          "referencetoawscdkekshelmtestAssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3Bucket8229D3A2Ref": {
+            "Ref": "AssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3Bucket83B8778F"
           },
-          "referencetoawscdkekshelmtestAssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3VersionKeyA7F169F4Ref": {
-            "Ref": "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3VersionKeyB00C0565"
+          "referencetoawscdkekshelmtestAssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3VersionKey0C91EE3ERef": {
+            "Ref": "AssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3VersionKeyADF6A055"
           },
           "referencetoawscdkekshelmtestAssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3Bucket0A18730ERef": {
             "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A"
@@ -1351,17 +1382,17 @@
       "Type": "String",
       "Description": "Artifact hash for asset \"5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391\""
     },
-    "AssetParametersa70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8S3Bucket4CD5FFC3": {
+    "AssetParameters07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963S3Bucket9BDF5881": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"a70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8\""
+      "Description": "S3 bucket for asset \"07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963\""
     },
-    "AssetParametersa70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8S3VersionKeyE06BA291": {
+    "AssetParameters07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963S3VersionKey63AC53A2": {
       "Type": "String",
-      "Description": "S3 key for asset version \"a70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8\""
+      "Description": "S3 key for asset version \"07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963\""
     },
-    "AssetParametersa70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8ArtifactHashA4AB6609": {
+    "AssetParameters07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963ArtifactHash41646C3F": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"a70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8\""
+      "Description": "Artifact hash for asset \"07a1c6a504be72dba3e9bc5b12cc2b5b0e83ea5c6ba10a4128da5c2180f3f963\""
     },
     "AssetParameters92c405c4551a308bcdd55823f8b16268bd3c38fd2a011edaaf3ed72a80f557c4S3BucketC479E94B": {
       "Type": "String",
@@ -1375,17 +1406,17 @@
       "Type": "String",
       "Description": "Artifact hash for asset \"92c405c4551a308bcdd55823f8b16268bd3c38fd2a011edaaf3ed72a80f557c4\""
     },
-    "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998": {
+    "AssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3Bucket83B8778F": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"ea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03e\""
+      "Description": "S3 bucket for asset \"c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed\""
     },
-    "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3VersionKeyB00C0565": {
+    "AssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedS3VersionKeyADF6A055": {
       "Type": "String",
-      "Description": "S3 key for asset version \"ea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03e\""
+      "Description": "S3 key for asset version \"c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed\""
     },
-    "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eArtifactHash4654D012": {
+    "AssetParametersc6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffedArtifactHash2C972BAF": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"ea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03e\""
+      "Description": "Artifact hash for asset \"c6964dbf0c556ec82ce09622e99ad6f6d4e488cdaac0ef9e8492e078ec61ffed\""
     },
     "AssetParametersd65fbdc11b108e0386ed8577c454d4544f6d4e7960f84a0d2e211478d6324dbfS3BucketBFD29DFB": {
       "Type": "String",
@@ -1411,17 +1442,17 @@
       "Type": "String",
       "Description": "Artifact hash for asset \"8da8ef613cd1b5a7cebfe44577f36e7ab0b4b00b97a7789401a48c80b78f0852\""
     },
-    "AssetParameters6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0S3Bucket4C69A575": {
+    "AssetParameters0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289efS3Bucket2C1AF85C": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0\""
+      "Description": "S3 bucket for asset \"0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289ef\""
     },
-    "AssetParameters6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0S3VersionKeyCD3DAD60": {
+    "AssetParameters0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289efS3VersionKey27D35864": {
       "Type": "String",
-      "Description": "S3 key for asset version \"6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0\""
+      "Description": "S3 key for asset version \"0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289ef\""
     },
-    "AssetParameters6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0ArtifactHashBF9C53E1": {
+    "AssetParameters0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289efArtifactHash9EB43449": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"6d85f035a38de5e5a2362ad891388f472b5d63327246684c8979b718f2ff3dc0\""
+      "Description": "Artifact hash for asset \"0f0fca85b345e05ce2d9856ebaef0bec86a728074139a71a31b68c96b20289ef\""
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.ts
@@ -47,6 +47,15 @@ class EksClusterStack extends Stack {
     this.cluster.addHelmChart('test-chart', {
       chartAsset: chartAsset,
     });
+
+    this.cluster.addHelmChart('test-oci-chart', {
+      chart: 's3-chart',
+      release: 's3-chart',
+      repository: 'oci://public.ecr.aws/aws-controllers-k8s/s3-chart',
+      version: 'v0.0.19',
+      namespace: 'ack-system',
+      createNamespace: true,
+    });
   }
 }
 
diff --git a/packages/@aws-cdk/lambda-layer-kubectl/layer/Dockerfile b/packages/@aws-cdk/lambda-layer-kubectl/layer/Dockerfile
@@ -8,7 +8,7 @@ FROM public.ecr.aws/lambda/provided:latest
 # KUBECTL_VERSION should not be changed at the moment, see https://github.com/aws/aws-cdk/issues/15736
 # Version 1.21.0 is not compatible with version 1.20 (and lower) of the server.
 ARG KUBECTL_VERSION=1.20.0 
-ARG HELM_VERSION=3.5.4
+ARG HELM_VERSION=3.8.1
 
 USER root
 RUN mkdir -p /opt
