How can you install a helm chart from AWS ECR using helmfile?

Question

There is a way to install helm charts via AWS ECR using 'OCI', and using the AWS authentication method, but there are no detailed instructions on how to do it via helmfile.

What is the necessary helmfile.yaml configuration to be able to pull a helm chart from AWS ECR, then apply it as normal?

Answer 1

It is possible to use the oci repo without having to use any username or password in the helmfile, just authenticate yourself against AWS ECR and helm registry with this

aws ecr get-login-password \
     --region <region> | helm registry login \
     --username AWS \
     --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com

configure the ECR repo like this

- name: ecr
  url: <account-id>.dkr.ecr.<region>.amazonaws.com
  oci: true

and then just have the release like this

releases:
  - name: helm-oci-test
    chart: ecr/helm-oci-test
    chart: ecr/{{`{{ .Release.Name }}`}}
    version: 1.0.0

Tip: If your release names always match the repository then you can put some of the config into a template and have something like this

templates:
  oci-release: &oci-release
    chart: ecr/{{`{{ .Release.Name }}`}}
    version: 1.0.0

releases:
  - name: helm-oci-test
    inherit:
    - template: oci-release

Answer 2

I have figured it out! First, you need to authenticate as normal to AWS ECR and save the password in an environment variable like so...

export ECR_PASSWORD=$(aws ecr get-login-password --region $AWS_REGION)

Then you need to add ecr as a repository in the helmfile.yaml

repositories:
  - name: ecr
    url: {{ requiredEnv "AWS_ACCOUNT_ID" }}.dkr.ecr.{{ requiredEnv "AWS_REGION" }}.amazonaws.com
    oci: true
    username: 'AWS'
    password: '{{ requiredEnv "ECR_PASSWORD" }}'

Now, you can reference the repository in the releases section

releases:
  - name: helm-test-chart
    chart: ecr/helm-test-chart
    namespace: test
    version: 0.1.0
    ...