thameezb
commented
2 years ago Any update on this? Seems like a bit of an issue if Fargate cannot connect to Repositories with self-signed certs
Open Shocktrooper opened 3 years ago
thameezb
commented
2 years ago Any update on this? Seems like a bit of an issue if Fargate cannot connect to Repositories with self-signed certs
Shocktrooper
commented
2 years ago Any update on this? Seems like a bit of an issue if Fargate cannot connect to Repositories with self-signed certs
We got around this for now by provisioning a publicly signed CA Cert that points at a private hosted zone in aws which then points at an internal Load Balancer. Since the certificate being served up is publicly signed Fargate doesn't complain. This is still and issue for people that cannot have this type of setup because it requires the use of a non-internally signed CA Cert to accomplish this workaround
thameezb
commented
2 years ago Any update on this? Seems like a bit of an issue if Fargate cannot connect to Repositories with self-signed certs
We got around this for now by provisioning a publicly signed CA Cert that points at a private hosted zone in aws which then points at an internal Load Balancer. Since the certificate being served up is publicly signed Fargate doesn't complain. This is still and issue for people that cannot have this type of setup because it requires the use of a non-internally signed CA Cert to accomplish this workaround
That is the route we have had to take as well. Its rather unfortunate to have to resort to this method as it adds cost and complexity to the architecture
boyersnet
commented
2 years ago I'd also like to see this for EKS with Fargate.
themish95
commented
2 years ago Would love to see this on Batch (Fargate) as well
montumodi
commented
1 year ago Is there any update on this or any other workarounds?
LJArendse
commented
1 year ago From a containers roadmap perspective, is there any feedback for enabling Fargate to use a private Docker registry (with a self-signed or internally signed certificate, by a non-public Internal CA) for pulling Docker images?
As discussed, this is is a limitation for using Fargate within an enterprise implementation, where private registries are used.
malcolmm83
commented
1 year ago Any updates?
johndanielpreston
commented
7 months ago I'll just add my vote to the 'this affects our work too' and it's for a US gov't network that secures its registries with certificates issued by a 'private' CA which is used by millions of endpoints across multiple networks and levels of disconnectedness from the outside world.
Community Note
Tell us about your request For a fargate task if you are pulling from a private repository either allow you to point at an ACM certificate ARN or pass in the public cert for verification of the endpoint of the image pull
Which service(s) is this request for? ECS Fargate and potentially ECS EC2
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? In our corporate environment we are not allowed to have public facing applications and such all of our VPC's are private and all CA Certificates are signed by a non-public Internal CA. This presents a problem for corporate customers myself because we cannot tell Containerd/The Docker Daemon to trust a root/intermediate certificate at all when trying to pull from our internal container repository with an internally signed CA
Related Issues:
740
98
Are you currently working around this issue? We are currently not working around this issue but looking for possible solutions. One possibility is pushing to ECR but the issue with this is the images need to go cross account and ECR currently presents itself as a heavy handed solution to solve for a problem we can solve with our private internal container repository
Additional context If this functionality cannot be implemented within short time period the documentation should at least be updated for the following link to say that only container registries with publicly signed CA certificates are supported at this time because this missing functionality was not found out till the container deployment solution was created. Relevant Links: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html
Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)