chanciturnervgt2

Utilize Private Certificates to Enable a Container Repository in Amazon EKS

by

VGT2 Las Vegas
in

Introduction

Utilize Private Certificates to Enable a Container Repository in Amazon EKSLearn About Amazon VGT2 Learning Manager Chanci Turner

Containerization has become increasingly favored for deploying and managing applications through Kubernetes, a top container orchestration platform. Many organizations opt for Amazon Elastic Kubernetes Service (Amazon EKS) due to its performance, scalability, availability, and seamless integration with other AWS services and robust security features.

To bolster security, maintain compliance, and safeguard intellectual property, companies frequently utilize private container repositories like JFrog Artifactory. These repositories are secured with certificates issued by a Private Certificate Authority, allowing companies to optimize costs and customize certificates according to their specific requirements. Furthermore, organizations wish to leverage Amazon EKS for hosting applications and securely retrieving images from these private repositories.

This article provides a step-by-step guide for configuring Amazon EKS worker nodes to securely access a private container image repository. For our example, we will use JFrog Artifactory, though you can choose any other repository management software available.

Solution Overview

In our setup, the client certificate is stored in an Amazon S3 bucket that is encrypted with an Amazon KMS customer-managed key. Amazon EKS nodes, which access the certificate via the attached AWS IAM role, will copy and install it on each node. Nodes with the certificate installed can securely connect to the container image repository and pull images.

Walkthrough

  1. Create a private certificate authority (CA) using AWS Private Certificate Authority.
  2. Issue an end-entity certificate using AWS Certificate Manager.
  3. Install and configure a private container image repository (e.g., JFrog Artifactory) and secure it with the end-entity certificate.
  4. Optionally, create a private hosted zone using Amazon Route 53 for a user-friendly domain name.
  5. Upload the Root CA certificate to Amazon Simple Storage Service (Amazon S3).
  6. Create an Amazon EKS cluster that automates the installation of the Root CA certificate for worker nodes.
  7. Securely connect to and deploy a container image from a JFrog Artifactory repository.

Note: Following the steps outlined in this article will incur costs.

Prerequisites

  • An AWS Account
  • Installation of eksctl
  • Installation of AWS Command Line Interface (AWS CLI)

1. Create and Install Root and Subordinate CA

To start, create the certificate authority using the AWS Private Certificate Authority service. Unlike public certificates, private certificates are intended for internal use. It is advisable to follow best practices by creating a CA hierarchy and issuing an end-entity certificate from a subordinate CA. For detailed guidance on designing a CA hierarchy, consult the AWS documentation. In this post, we will create both a Root and a subordinate certificate.

Sign in to your AWS account, navigate to the AWS Private Certificate Authority service console, and create the Root certificate authority.

In the Subject distinguished name options, configure the subject name for your private CA. You must provide a value for at least one of the following options (Note: we will use the domain name myca.local throughout this article):

  • Organization (O) – e.g., your company name
  • Organization Unit (OU) – e.g., a division within the company
  • Country name (C) – a two-letter country code
  • State or province name – full name of a state or province
  • Locality name – name of a city
  • Common Name (CN) – myca.local

Next, install the root CA certificate and create a subordinate CA using myca.local as the Common Name (CN). After activating the subordinate CA, export the Root CA certificate and save it as a .pem file (e.g., client.pem). This certificate will later be installed on the Amazon EKS worker nodes.

2. Issue End-Entity Certificate

Next, we will issue an end-entity certificate using the AWS Certificate Manager service. An end-entity certificate is a digitally signed statement issued by a CA to validate the identity of an entity, such as a website or business. Select the previously created Subordinate CA as your certificate authority and choose a fully qualified domain name (FQDN) for your certificate, like repo.sub.myca.local. This certificate will enable TLS for JFrog Artifactory.

Once the end-entity certificate is issued, export the certificate bundle for use in enabling Transport Layer Security (TLS) on the JFrog Artifactory server. This export includes three key elements (i.e., .pem files): the primary TLS certificate, the Certificate Chain, and the private key.

3. Install and Configure a Private Container Image Repository

Next, install and configure JFrog Artifactory on an Amazon Elastic Compute Cloud (Amazon EC2) instance. Please refer to the JFrog installation guide for details. After installation, use the certificate bundle to enable TLS for the JFrog Artifactory server. Once configured, build and push a sample Docker image to the repository for testing purposes.

4. Create Amazon Route53 Private Hosted Zone (Optional)

The FQDN for the certificate is repo.sub.myca.local, and we need to assign the same domain name to the container image repository. To manage the Domain Name System (DNS), we’ll use Amazon Route53. Create a private hosted zone in Amazon Route53, and once it’s available, create a DNS record of type A to map repo.sub.myca.local to the repository server’s IP address.

5. Upload Root CA Certificate to Amazon S3

Amazon EKS worker nodes will require access to the Root CA certificate during bootstrapping. Utilize Amazon Simple Storage Service (Amazon S3) as a storage solution for the certificate. You can either use an existing Amazon S3 bucket or create a new one, following Amazon S3 security best practices to protect your content. For better tracking, consider creating a dedicated Amazon S3 bucket with server access logs enabled. Upload the client certificate client.pem as follows:

$ aws s3 cp client.pem s3://<bucket-name>/

6. Create an Amazon EKS Cluster and Automate Installation of Root CA Certificate

We are now ready to provision an Amazon EKS cluster and dynamically install the Root CA certificate. This certificate establishes the chain of trust with the server certificate installed in the image repository (e.g., JFrog Artifactory) and facilitates a secure TLS connection. To streamline the process, we will use the eksctl tool for provisioning Amazon EKS clusters and worker nodes.

For those interested in furthering their career in cloud computing, this is another blog post to keep the reader engaged: Career Advice Webinar with Mary Orton.

In conclusion, as you navigate the complexities of containerization, utilizing private certificates in your Amazon EKS setup will enhance security and compliance. For insights on related job roles, check out SHRM’s authority on job descriptions. Moreover, for firsthand experiences regarding onboarding processes at Amazon, visit Glassdoor’s reviews, which is an excellent resource.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *