copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Fetching a docker image from a private jfrog artifactory, upload on ecr and deploy on ecs

Open yasinkayade opened this issue 3 years ago • 4 comments

Hi, I create a small project fetching docker image of a spring boot project from a private jfrog artifactory, uploading on AWS ECR and deploying it on AWS ECS via copilot in a cicd pipeline. I need credentials and certificate to fetch the docker image. AFAIK from https://github.com/aws/copilot-cli/issues/2101, there is a parameter with the name credentials (under image) to store in secretsmanager and use them. So the image part of manifest.yml:

image:
  credentials: arn:aws:secretsmanager:…….  /* username and password*/
  location: location_of_docker_image_in_jfrog_artifactory
  port: 8080

But I still get 403 Forbidden. Because I need a certificate in order to be able to fetch the image from private artifactory because of security issues. I would ask how to put the certificate into manifest.yml file (or to put to secretsmanager and refer in manifest.yml file)? And generally, has copilot a capability to fetch the docker image from a private artifactory with username, password and certificate, and then upload it to ECR?

BR,

yasinkayade avatar Jul 18 '22 12:07 yasinkayade

Yes, the reason for 403 forbidden is because as of today, ECS doesn't support pulling images from privately signed registries for Fargate tasks. See issue. I suspect that is why you are considering pushing to ECR as a workaround.

Unfortunately, the image.location field in the manifest is passed directly to Amazon ECS as-is. And, we don't have a built-in capability to fetch the docker image from a private artifactory, upload to ECR, and reset image.location as ECR repository.

You could solve this with two options:

  1. Right before the copilot deploy workflow, you could pull from artifactory and push to the ECR repository provisioned as part of copilot svc init. The repository follows the format <app_account>.dkr.ecr.<aws_region>.amazonaws.com/<app_name>/<svc_name>

OR

  1. Create a new Dockerfile with FROM <artifactory_url> and update the manifest image.build.dockerfile field to point to that. I think this should work if your local docker daemon is configured correctly with the certificate trust store.

Let us know if either option works for you. Thank you.

uttarasridhar avatar Jul 19 '22 00:07 uttarasridhar

Hi @uttarasridhar thanks for the answer. I will try them. I have another issue. I created a spring cloud config server deployed on AWS ECS (fargate). Config client is a service also deployed on ECS (same VPC). How can we inject config server uri as spring.cloud.config.uri and spring.config.import in client service? I tried possible options like dns name but when deploying client service we still get "No spring.config.import property has been defined". What should I take into consideration in this structure?

yasinkayade avatar Jul 20 '22 11:07 yasinkayade

Would you be able to elaborate more on your setup?

  1. Are you setting these URIs through environment variables in the manifest? Some articles here and here could be possible leads on ensuring env vars are passed correctly to the spring container.

  2. Do you use copilot pipeline to deploy the server and client? We recently introduced a way to configure the ordering of deployments. Maybe that will help ensure server uri is available before client is deployed.

Hope these pointers are helpful.

uttarasridhar avatar Jul 21 '22 00:07 uttarasridhar

Hi @yasinkayade ! To add onto @uttarasridhar 's recommendation, each ECS service in an environment gets a deterministic service discovery endpoint.

Therefore, for option 1 using the environment variables you should be able to define the endpoint as:

# Replace <name for your service> with the name of your config client service.
variables:
  SPRING_CONFIG_URI: 'http://<name for your service>.${COPILOT_ENVIRONMENT_NAME}.${COPILOT_APPLICATION_NAME}.local'

And then it looks like in spring boot you can use the env variable in the config:

spring.cloud.config.uri = ${SPRING_CONFIG_URI}

efekarakus avatar Jul 22 '22 16:07 efekarakus

This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.

github-actions[bot] avatar Sep 12 '23 00:09 github-actions[bot]

This issue is closed due to inactivity. Feel free to reopen the issue if you have any further questions!

github-actions[bot] avatar Sep 26 '23 00:09 github-actions[bot]