containers-roadmap
containers-roadmap copied to clipboard
aws
[ECS] [request]: Support privately signed CA's for ECS fargate tasks pulling from private registries
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request For a fargate task if you are pulling from a private repository either allow you to point at an ACM certificate ARN or pass in the public cert for verification of the endpoint of the image pull
Which service(s) is this request for? ECS Fargate and potentially ECS EC2
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? In our corporate environment we are not allowed to have public facing applications and such all of our VPC's are private and all CA Certificates are signed by a non-public Internal CA. This presents a problem for corporate customers myself because we cannot tell Containerd/The Docker Daemon to trust a root/intermediate certificate at all when trying to pull from our internal container repository with an internally signed CA
Related Issues:
- #740
- #98
Are you currently working around this issue? We are currently not working around this issue but looking for possible solutions. One possibility is pushing to ECR but the issue with this is the images need to go cross account and ECR currently presents itself as a heavy handed solution to solve for a problem we can solve with our private internal container repository
Additional context If this functionality cannot be implemented within short time period the documentation should at least be updated for the following link to say that only container registries with publicly signed CA certificates are supported at this time because this missing functionality was not found out till the container deployment solution was created. Relevant Links: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html
Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
Any update on this? Seems like a bit of an issue if Fargate cannot connect to Repositories with self-signed certs
Any update on this? Seems like a bit of an issue if Fargate cannot connect to Repositories with self-signed certs
We got around this for now by provisioning a publicly signed CA Cert that points at a private hosted zone in aws which then points at an internal Load Balancer. Since the certificate being served up is publicly signed Fargate doesn't complain. This is still and issue for people that cannot have this type of setup because it requires the use of a non-internally signed CA Cert to accomplish this workaround
Any update on this? Seems like a bit of an issue if Fargate cannot connect to Repositories with self-signed certs
We got around this for now by provisioning a publicly signed CA Cert that points at a private hosted zone in aws which then points at an internal Load Balancer. Since the certificate being served up is publicly signed Fargate doesn't complain. This is still and issue for people that cannot have this type of setup because it requires the use of a non-internally signed CA Cert to accomplish this workaround
That is the route we have had to take as well. Its rather unfortunate to have to resort to this method as it adds cost and complexity to the architecture
