aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

CDK-Lib EKS Constructs - Private repo support for artifacts

Open elarsson1 opened this issue 2 years ago • 5 comments

Describe the feature

Allow customers to specify private repositories for external artifacts referenced by AWS provided constructs. For example, the AWS Load Balancer Controller construct directly references the public GitHub repo for its Helm chart:

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts#L273

Use Case

Security sensitive customers have requirements for all software artifacts to be sourced from internal vetted repos, that may take additional measures to ensure artifacts are immutable, and that consumption from upstream is vetted through organization required security checks. They cannot have.a deployment trigger a system to pull artifacts directly from a source on the internet.

Proposed Solution

Expose artifact URLs as configuration instead of hard coding them in construct libraries. Allow customers to override the artifact URL with a local URL or OCI compliant repository for supported artifacts, such as container images or Helm charts.

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CDK version used

2.92

Environment details (OS name and version, etc.)

Amazon Linux 2

elarsson1 avatar Aug 22 '23 17:08 elarsson1

Makes sense, thanks for the request.

peterwoodworth avatar Aug 22 '23 17:08 peterwoodworth

We can add a property to customize that URL.

rix0rrr avatar Aug 23 '23 08:08 rix0rrr

As a workaround, you can use escape hatches:

const cluster = new eks.Cluster(this, 'Cluster', {
  version: eks.KubernetesVersion.V1_27,
  albController: {
    version: eks.AlbControllerVersion.V2_2_3,
  }
});

const albHelmChart = cluster.albController?.node.defaultChild as eks.HelmChart
const albCr = albHelmChart.node.defaultChild?.node.defaultChild as cdk.CfnResource
albCr.addPropertyOverride('Repository', '<my-company-repository>')

iliapolo avatar Aug 23 '23 17:08 iliapolo

+1. Thank you @elarsson1 for raising this issue. We are definitely looking forward to a clean and easy solution as you have described. Thanks for the workaround @iliapolo. I will try it out.

manupatteri avatar Aug 25 '23 22:08 manupatteri

+1 Currently I have to host the image and helm chart package in ECR (privately), and add_helm_chart to the cluster to do this. Not even sure if some configurations are being missed going in this direction, versus using the construct's albController setup.

caretak3r avatar Nov 22 '23 14:11 caretak3r