I'm building an AWS EKS cluster with Fargate managed nodes and everything is fine till I want to pull a docker image from a remote on-premise docker registry hosted on Harbor. CA is fully private on on-premise and I thought that this could be an issue.
As a workaround, I tried to create an Apache proxy with SSL key and cert generated by AWS PCA (from another account!). Later customized docker pull endpoint call to move (pull) through this proxy.
I tested this setup from the proxy instance as well as another bastion host instance and images are pulling correctly with Harbor authentication (not from EKS).
I checked and CA created in AWS PCA is not expired (2022 date expiration).
From inside AWS EKS, this pull doesn't work correctly. I'm including error messages:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning LoggingDisabled 78s fargate-scheduler Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found
Normal Scheduled 5s fargate-scheduler Successfully assigned <name-of-deployment-here> to fargate-ip-10-155-250-49.eu-central-1.compute.internal
Normal Pulling 2s kubelet Pulling image "<image_name_here>"
Warning Failed 2s kubelet Failed to pull image "<apache-proxy-address>/<docker-repository-address>": rpc error: code = Unknown desc = failed to pull and unpack image "<apache-proxy-address>/<docker-repository-address>": failed to resolve reference "<apache-proxy-address>/<docker-repository-address>: failed to do request: Head https://<apache-proxy-address>/<****>/<docker-repository-address>: x509: certificate signed by unknown authority
Warning Failed 2s kubelet Error: ErrImagePull
Normal BackOff 1s kubelet Back-off pulling image "<apache-proxy-address>/<docker-repository-address>"
Warning Failed 1s kubelet Error: ImagePullBackOffError is caused by:
x509: certificate signed by unknown authority
Do you guys have any ideas?
Thanks in advance!
There is no solution to this problem at the moment. We have to wait for AWS to implement private certificate support in EKS from ACM Private CA. Currently, certificates accepted by the EKS service have to be signed by some public CA.