I'm building an AWS EKS cluster with Fargate managed nodes and everything is fine till I want to pull a docker image from a remote on-premise docker registry hosted on Harbor. CA is fully private on on-premise and I thought that this could be an issue.
As a workaround, I tried to create an Apache proxy with SSL key and cert generated by AWS PCA (from another account!). Later customized docker pull endpoint call to move (pull) through this proxy.
I tested this setup from the proxy instance as well as another bastion host instance and images are pulling correctly with Harbor authentication (not from EKS).
I checked and CA created in AWS PCA is not expired (2022 date expiration).
From inside AWS EKS, this pull doesn't work correctly. I'm including error messages:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning LoggingDisabled 78s fargate-scheduler Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found
Normal Scheduled 5s fargate-scheduler Successfully assigned <name-of-deployment-here> to fargate-ip-10-155-250-49.eu-central-1.compute.internal
Normal Pulling 2s kubelet Pulling image "<image_name_here>"
Warning Failed 2s kubelet Failed to pull image "<apache-proxy-address>/<docker-repository-address>": rpc error: code = Unknown desc = failed to pull and unpack image "<apache-proxy-address>/<docker-repository-address>": failed to resolve reference "<apache-proxy-address>/<docker-repository-address>: failed to do request: Head https://<apache-proxy-address>/<****>/<docker-repository-address>: x509: certificate signed by unknown authority
Warning Failed 2s kubelet Error: ErrImagePull
Normal BackOff 1s kubelet Back-off pulling image "<apache-proxy-address>/<docker-repository-address>"
Warning Failed 1s kubelet Error: ImagePullBackOffError is caused by:
x509: certificate signed by unknown authority
Do you guys have any ideas?
Thanks in advance!
