EKS: Unable to log in ECR on AWS China partition when adding helm chart

[yubingjiaocn]

Describe the bug

When adding helm chart stored on ECR in AWS China partition, CDK can't generate correct login command to log in to ECR.

The correct repository address is 123456789012.dkr.ecr.cn-north-1.amazonaws.com.cn, while regex in the following code only matches 123456789012.dkr.ecr.cn-north-1.amazonaws.com, cause incomplete repository address.

aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py

Line 103 in 943abe8

private_ecr_pattern = 'oci://(?P<registry>\d+\.dkr\.ecr\.(?P<region>[a-z0-9\-]+)\.amazonaws\.com)*'

Expected Behavior

Login to correct repository address and helm chart should be installed successfully.

Current Behavior

Generated login command from log:
aws ecr get-login-password --region cn-north-1 | helm registry login --username AWS --password-stdin <Redacted>.dkr.ecr.cn-north-1.amazonaws.com; helm pull oci://<Redacted>.dkr.ecr.cn-north-1.amazonaws.com.cn/charts/<redacted> --version 0.1.0 --untar

Error log:
[ERROR] Exception: b'time="2023-12-21T22:46:15z” level=info msg="Error logging in to endpoint, trying next endpoint" error=Get \\"https://<Redacted>.dkr.ecr.cn-north-1.amazonaws.com/v2/\\": dial tcp: lookup <Redacted>.dkr.ecr.cn-north-1.amazonaws.com on 169.254.78.1:53: no such host"\nError: Get "https://<Redacted>.dkr.ecr.cn-north-1.amazonaws.com/v2/": dial tcp: lookup <Redacted>.dkr.ecr.cn-north-1.amazonaws.com on 169.254.78.1:53: no such host\n Error: unexpected status from HEAD request to https://<Redacted>.dkr.ecr.cn-north-1.amazonaws.com.cn/v2/sd-on-eks/charts/sd-on-eks/manifest/0.1.0: 401 Unauthorized

Reproduction Steps

1. Push a OCI formatted helm chart to ECR in AWS China partition
2. Add helm chart to EKS cluster with the following code. Replace 123456789012 to your account ID, and cn-northwest-1 to your region.

eks.HelmChart(self, "MyOCIChart",
    cluster=cluster,
    chart="some-chart",
    repository="oci://123456789012.dkr.ecr.cn-northwest-1.amazonaws.com.cn/${REPO_NAME}",
    namespace="oci",
    version="0.0.1"
)

Possible Solution

Change regex to match AWS China partition suffix

Additional Information/Context

No response

CDK CLI Version

2.99.1

Framework Version

No response

Node.js Version

v18.17.1

OS

Linux (Ubuntu 22.04.1)

Language

TypeScript

Language Version

5.1.6

Other information

No response

[pahud]

Yes we will need to update our private ecr pattern to match that.

[zhaojiew10]

We meet the same issue.

Cdk version 2.131. It seems not fix in latest CDK version.

Is there any exact fix time? Thanks！

[pahud]

@zhaojiew10

We'll need a contributor with China region access to submit a PR to move this forward.

[yubingjiaocn]

I have submitted a PR with the change. It's a change on regex to identify if a repo is from ECR, and I added a .cn suffix to the regex.