addons: Unable to validate HELM chart through proxy

[rmsilva1973]

Describe the bug

Running "cdk synth" from a desktop on a corporate network with proxy variables (http_proxy and https_proxy) on a project using helm addons (like "blueprints.SecretsAddon") fails.

Expected Behavior

"cdk synth" should able to lookup the helm addons using the corporate proxy setup by environment variables

Current Behavior

"cdk synth" fails with:

/home/myuser/dev/cdk-eks-project/node_modules/sync-rpc/lib/index.js:165
const error = new Error(msg.v.message);
^
Error: unable to get local issuer certificate
at extractValue (/home/myuser/dev/cdk-eks-project/node_modules/sync-rpc/lib/index.js:165:19)
at /home/myuser/dev/cdk-eks-project/node_modules/sync-rpc/lib/index.js:175:12
at request (/home/myuser/dev/cdk-eks-project/node_modules/sync-request/lib/index.js:28:15)
at loadExternalYaml (/home/myuser/dev/cdk-eks-project/node_modules/@aws-quickstart/eks-blueprints/lib/utils/yaml-utils.ts:46:22)
at listChartVersions (/home/myuser/dev/cdk-eks-project/node_modules/@aws-quickstart/eks-blueprints/lib/addons/helm-addon/helm-version-checker.ts:74:48)
at checkHelmChartVersion (/home/myuser/dev/cdk-eks-project/node_modules/@aws-quickstart/eks-blueprints/lib/addons/helm-addon/helm-version-checker.ts:91:20)
at Function.validateVersion (/home/myuser/dev/cdk-eks-project/node_modules/@aws-quickstart/eks-blueprints/lib/addons/helm-addon/index.ts:64:49)
at CsiDriverProviderAws.deploy (/home/myuser/dev/cdk-eks-project/node_modules/@aws-quickstart/eks-blueprints/lib/addons/secrets-store/csi-driver-provider-aws.ts:45:15)
at SecretsStoreAddOn.deploy (/home/myuser/dev/cdk-eks-project/node_modules/@aws-quickstart/eks-blueprints/lib/addons/secrets-store/index.ts:66:53)
at new EksBlueprint (/home/myuser/dev/cdk-eks-project/node_modules/@aws-quickstart/eks-blueprints/lib/stacks/eks-blueprint-stack.ts:263:34) {
code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}

Reproduction Steps

1. Create a simple EKS project using CDK EKS blueprint with and addon like this:

        const addOns: Array<blueprints.ClusterAddOn> = [
            new blueprints.SecretsStoreAddOn
        ]
        const cluster = blueprints.EksBlueprint.builder()
            .account(CdkAccount)
            .region(CdkRegion)
            .addOns(...addOns)
            .teams(...teams)
            .resourceProvider(blueprints.GlobalResources.Vpc, networkVPCProvider)
            .clusterProvider(genericClusterProvider)
            .build(scope, `my-eks-${id}`);

2. Configure environment variable to point to corporate proxy
3. Setup aws account credentials
4. Run "cdk synth"

Possible Solution

This bugs seems to be caused by the fact that the library sync-rpc, used by sync-request, used by blueprints yaml-utils.ts spawns a child process which appearently doesn't honor the proxy configurations.

Suggestion: I'm not sure if the loadExternalYaml function in yaml-utils.ts is downloading from an HTTP(S) URL but if that's the case, perhaps sync-request should be dropped in favor of a newer library which honors proxy environments.

Additional Information/Context

No response

CDK CLI Version

2.86.0

EKS Blueprints Version

1.11.13

Node.js Version

18.17.1

Environment details (OS name and version, etc.)

Ubuntu 22.04

Other information

No response

[shapirov103]

This particular issue appears to be caused by the Helm version validation. It is using load external YAML for index.yaml based Helm repos and fails on potentially custom? addon.

You can turn off helm version validation either globally or per addon as described here.

Hope it helps.