feat(aws-eks): adding takeOwnership option to HelmChart construct

packages/@aws-cdk-testing/framework-integ/package.json

@@ -31,6 +31,7 @@
   "devDependencies": {
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "^0.0.0",
+    "@aws-cdk/lambda-layer-kubectl-v31": "^2.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@aws-sdk/client-acm": "3.632.0",
     "@aws-sdk/client-rds": "3.632.0",

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.ts

@@ -28,7 +28,7 @@ class EksClusterStack extends Stack {
       vpc: this.vpc,
       mastersRole,
       defaultCapacity: 2,
-      ...getClusterVersionConfig(this),
+      ...getClusterVersionConfig(this, eks.KubernetesVersion.V1_31),
       tags: {
         foo: 'bar',
       },
@@ -108,6 +108,21 @@ class EksClusterStack extends Stack {
       values: { aws: { region: this.region } },
     });
 
+    // testing installation with --take-ownership flag set to true
+    // https://gallery.ecr.aws/aws-controllers-k8s/sns-chart
+    this.cluster.addHelmChart('test-take-ownership-installation', {
+      chart: 'sns-chart',
+      release: 'sns-chart-release',
+      repository: 'oci://public.ecr.aws/aws-controllers-k8s/sns-chart',
+      version: '1.1.2',
+      namespace: 'ask-system',
+      createNamespace: true,
+      skipCrds: true,
+      atomic: true,
+      takeOwnership: true,
+      values: { aws: { region: this.region } },
+    });
+
     // https://github.com/orgs/grafana-operator/packages/container/package/helm-charts%2Fgrafana-operator
     this.cluster.addHelmChart('test-non-ecr-oci-chart', {
       chart: 'grafana-operator',

packages/@aws-cdk/aws-eks-v2-alpha/lib/helm-chart.ts

@@ -91,6 +91,13 @@ export interface HelmChartOptions {
    * @default - CRDs are installed if not already present
    */
   readonly skipCrds?: boolean;
+
+  /**
+   * if set, this will use the --take-ownership flag provided since helm >=v3.17.0.  Helm will not throw an error if any manifest
+   * that it renders if already on the cluster and will instead overwrite and annotate it with ownership from the rendered manifest
+   * @default false
+   */
+  readonly takeOwnership?: boolean;
 }
 
 /**
@@ -158,6 +165,8 @@ export class HelmChart extends Construct {
     const skipCrds = props.skipCrds ?? false;
     // default to set atomic as false
     const atomic = props.atomic ?? false;
+    // default to not take ownership since helm only only added this as of 3.17.0
+    const takeOwnership = props.takeOwnership ?? false;
 
     this.chartAsset?.grantRead(provider.handlerRole);
 
@@ -179,6 +188,7 @@ export class HelmChart extends Construct {
         CreateNamespace: createNamespace || undefined,
         SkipCrds: skipCrds || undefined,
         Atomic: atomic || undefined, // props are stringified so we encode “false” as undefined
+        TakeOwnership: takeOwnership || undefined,
       },
     });
   }

packages/@aws-cdk/aws-eks-v2-alpha/lib/kubectl-handler/helm/__init__.py

@@ -53,6 +53,7 @@ def helm_handler(event, context):
     repository       = props.get('Repository', None)
     values_text      = props.get('Values', None)
     skip_crds        = props.get('SkipCrds', False)
+    take_ownership   = props.get('TakeOwnership', False)
 
     # "log in" to the cluster
     subprocess.check_call([ 'aws', 'eks', 'update-kubeconfig',
@@ -91,7 +92,7 @@ def helm_handler(event, context):
             chart_dir = get_chart_from_oci(tmpdir.name, repository, version)
             chart = chart_dir
 
-        helm('upgrade', release, chart, repository, values_file, namespace, version, wait, timeout, create_namespace, atomic=atomic)
+        helm('upgrade', release, chart, repository, values_file, namespace, version, wait, timeout, create_namespace, atomic=atomic, take_ownership=take_ownership)
     elif request_type == "Delete":
         try:
             helm('uninstall', release, namespace=namespace, wait=wait, timeout=timeout)
@@ -158,7 +159,7 @@ def get_chart_from_oci(tmpdir, repository = None, version = None):
     raise Exception(f'Operation failed after {maxAttempts} attempts: {output}')
 
 
-def helm(verb, release, chart = None, repo = None, file = None, namespace = None, version = None, wait = False, timeout = None, create_namespace = None, skip_crds = False, atomic = False):
+def helm(verb, release, chart = None, repo = None, file = None, namespace = None, version = None, wait = False, timeout = None, create_namespace = None, skip_crds = False, atomic = False, take_ownership = False):
     import subprocess
 
     cmnd = ['helm', verb, release]
@@ -183,7 +184,9 @@ def helm(verb, release, chart = None, repo = None, file = None, namespace = None
     if not timeout is None:
         cmnd.extend(['--timeout', timeout])
     if atomic:
-        cmnd.append('--atomic')    
+        cmnd.append('--atomic')   
+    if take_ownership:
+        cmnd.append('--take-ownership') 
     cmnd.extend(['--kubeconfig', kubeconfig])
 
     maxAttempts = 3

packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py

@@ -53,6 +53,7 @@ def helm_handler(event, context):
     repository       = props.get('Repository', None)
     values_text      = props.get('Values', None)
     skip_crds        = props.get('SkipCrds', False)
+    take_ownership   = props.get('TakeOwnership', False)
 
     # "log in" to the cluster
     subprocess.check_call([ 'aws', 'eks', 'update-kubeconfig',
@@ -91,7 +92,7 @@ def helm_handler(event, context):
             chart_dir = get_chart_from_oci(tmpdir.name, repository, version)
             chart = chart_dir
 
-        helm('upgrade', release, chart, repository, values_file, namespace, version, wait, timeout, create_namespace, atomic=atomic)
+        helm('upgrade', release, chart, repository, values_file, namespace, version, wait, timeout, create_namespace, atomic=atomic, take_ownership=take_ownership)
     elif request_type == "Delete":
         try:
             helm('uninstall', release, namespace=namespace, wait=wait, timeout=timeout)
@@ -158,7 +159,7 @@ def get_chart_from_oci(tmpdir, repository = None, version = None):
     raise Exception(f'Operation failed after {maxAttempts} attempts: {output}')
 
 
-def helm(verb, release, chart = None, repo = None, file = None, namespace = None, version = None, wait = False, timeout = None, create_namespace = None, skip_crds = False, atomic = False):
+def helm(verb, release, chart = None, repo = None, file = None, namespace = None, version = None, wait = False, timeout = None, create_namespace = None, skip_crds = False, atomic = False, take_ownership = False):
     import subprocess
 
     cmnd = ['helm', verb, release]
@@ -183,7 +184,9 @@ def helm(verb, release, chart = None, repo = None, file = None, namespace = None
     if not timeout is None:
         cmnd.extend(['--timeout', timeout])
     if atomic:
-        cmnd.append('--atomic')    
+        cmnd.append('--atomic')
+    if take_ownership:
+        cmnd.append('--take-ownership')
     cmnd.extend(['--kubeconfig', kubeconfig])
 
     maxAttempts = 3

packages/aws-cdk-lib/aws-eks/lib/helm-chart.ts

@@ -91,6 +91,14 @@ export interface HelmChartOptions {
    * @default - CRDs are installed if not already present
    */
   readonly skipCrds?: boolean;
+
+  /**
+   * if set, this will use the --take-ownership flag provided since helm >=v3.17.0.  Helm will not throw an error if any manifest
+   * that it renders if already on the cluster and will instead overwrite and annotate it with ownership from the rendered manifest
+   *
+   * @default false
+   */
+  readonly takeOwnership?: boolean;
 }
 
 /**
@@ -158,6 +166,8 @@ export class HelmChart extends Construct {
     const skipCrds = props.skipCrds ?? false;
     // default to set atomic as false
     const atomic = props.atomic ?? false;
+    // default to not take ownership since helm only only added this as of 3.17.0
+    const takeOwnership = props.takeOwnership ?? false;
 
     this.chartAsset?.grantRead(provider.handlerRole);
 
@@ -179,6 +189,7 @@ export class HelmChart extends Construct {
         CreateNamespace: createNamespace || undefined,
         SkipCrds: skipCrds || undefined,
         Atomic: atomic || undefined, // props are stringified so we encode “false” as undefined
+        TakeOwnership: takeOwnership || undefined,
       },
     });
   }

packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts

@@ -236,6 +236,29 @@ describe('helm chart', () => {
 
     });
 
+    test('should enable takeOwnership operations when specified', () => {
+      //GIVEN
+      const { stack, cluster } = testFixtureCluster();
+
+      //WHEN
+      new eks.HelmChart(stack, 'MyAtomicChart', { cluster, chart: 'chart', takeOwnership: true });
+
+      //THEN
+      Template.fromStack(stack).hasResourceProperties(eks.HelmChart.RESOURCE_TYPE, { TakeOwnership: true });
+    });
+
+    test('should disable takeOwnership operations by default', () => {
+      //GIVEN
+      const { stack, cluster } = testFixtureCluster();
+
+      //WHEN
+      new eks.HelmChart(stack, 'MyAtomicChart', { cluster, chart: 'chart' });
+
+      //THEN
+      const charts = Template.fromStack(stack).findResources(eks.HelmChart.RESOURCE_TYPE, { Atomic: true });
+      expect(Object.keys(charts).length).toEqual(0);
+    });
+
     test('should timeout only after 10 minutes', () => {
       // GIVEN
       const { stack, cluster } = testFixtureCluster();

packages/aws-cdk-lib/recommended-feature-flags.json

@@ -61,5 +61,6 @@
   "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
   "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
   "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
-  "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true
+  "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+  "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true
 }