For generic rpm, due to the fact that different rpm based platforms might have different location of certs on the host (for example, on SUSE the certs are in /etc/ssl/certs while on CentOS the certs are in /etc/pki/tls/certs), we are unable to set these configs to hardcoded value, since if we specify the cert path to one of them, the other platform will fail due to missing directory when adding the bind mount. Therefore, currently for generic rpm, ecs init does not add these certs bind mounts and as a result ecs agent will default to use the certs bundled in the image. In order to support letting ecs agent use certs from the host for generic rpm, we will need some additional change, potentially we can ask the user to pass the cert location as an env to the rpm, and then we bind mount the certs from that location.
Expected Behavior
When using generic rpm, customer can let the ecs agent use the certificate from the host it runs on, instead of the certificate bundled in the ecs agent image.
Observed Behavior
When using generic rpm, customer is unable to let ecs agent use certificate from the host. ecs agent will only use the certificate in its own image.
Summary
Overriding the certificate used by the ecs agent with certificate on the host is currently not supported in generic rpm.
Description
On Amazon linux and deb platforms, ecs-init mounts the certs from a few hardcoded configs (e.g. https://github.com/aws/amazon-ecs-init/blob/master/ecs-init/config/config_suse_ubuntu_debian.go#L20-L21), which allows customer to let the ecs agent use the certificate from the host, instead of the certificate bundled in the ecs agent image copied during our build process https://github.com/aws/amazon-ecs-agent/blob/master/misc/certs/Dockerfile#L8-L10..
For generic rpm, due to the fact that different rpm based platforms might have different location of certs on the host (for example, on SUSE the certs are in
/etc/ssl/certswhile on CentOS the certs are in/etc/pki/tls/certs), we are unable to set these configs to hardcoded value, since if we specify the cert path to one of them, the other platform will fail due to missing directory when adding the bind mount. Therefore, currently for generic rpm, ecs init does not add these certs bind mounts and as a result ecs agent will default to use the certs bundled in the image. In order to support letting ecs agent use certs from the host for generic rpm, we will need some additional change, potentially we can ask the user to pass the cert location as an env to the rpm, and then we bind mount the certs from that location.Expected Behavior
When using generic rpm, customer can let the ecs agent use the certificate from the host it runs on, instead of the certificate bundled in the ecs agent image.
Observed Behavior
When using generic rpm, customer is unable to let ecs agent use certificate from the host. ecs agent will only use the certificate in its own image.
Environment Details
Supporting Log Snippets