Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support FIPS endpoint #692

Merged
merged 6 commits into from
Jan 16, 2019
Merged

Support FIPS endpoint #692

merged 6 commits into from
Jan 16, 2019

Conversation

SoManyHs
Copy link
Contributor

@SoManyHs SoManyHs commented Jan 3, 2019

Related to https://github.com/awslabs/amazon-ecr-credential-helper/pull/127/files

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@SoManyHs SoManyHs changed the base branch from master to dev January 3, 2019 21:50
@SoManyHs SoManyHs mentioned this pull request Jan 8, 2019
Open
@SoManyHs SoManyHs force-pushed the hhh-fips branch 3 times, most recently from cc94dc3 to 7f84ee5 Compare January 11, 2019 07:36
@SoManyHs
Copy link
Contributor Author 

$ ecs-cli images --use-fips --debug
DEBU[0000] Using FIPS endpoint: https://ecr-fips.us-west-2.amazonaws.com 
DEBU[0000] Getting images from ECR...                   

REPOSITORY NAME      TAG                 IMAGE DIGEST              PUSHED AT           SIZE                
scorekeep-frontend       latest              sha256:c0ffefe             2 months ago        44.7 MB             
...   

$ ecs-cli pull scorekeep-frontend --use-fips --debug
DEBU[0000] Using FIPS endpoint: https://ecr-fips.us-west-2.amazonaws.com 
INFO[0000] Getting AWS account ID...                    
...
$ ecs-cli push scorekeep-frontend --use-fips --debug
DEBU[0000] Using FIPS endpoint: https://ecr-fips.us-west-2.amazonaws.com 
INFO[0000] Getting AWS account ID... 
...

allisaurus
allisaurus requested changes Jan 14, 2019
View reviewed changes
Copy link
Contributor

@allisaurus allisaurus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • 2 DRY comments
  • per offline discussion & testing, push/pull via FIPs needs fully qualified image name to work.

ecs-cli/modules/cli/image/image_app.go Outdated Show resolved Hide resolved
ecs-cli/modules/commands/image/image_command.go Outdated Show resolved Hide resolved
PettitWesley
PettitWesley suggested changes Jan 14, 2019
View reviewed changes
Copy link
Contributor

@PettitWesley PettitWesley left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SoManyHs Tried testing it- how come this happens?

With Fips:

amazon-ecs-cli ((HEAD detached at H3Fork/hhh-fips)) $ ecs-cli push cats/fluentd --use-fips --debug
DEBU[0000] Using FIPS endpoint: https://ecr-fips.us-west-2.amazonaws.com
INFO[0000] Getting AWS account ID...
FATA[0000] Error executing 'push': SerializationError: failed to decode query XML error response
	status code: 403, request id: 54321916-1845-11e9-89d3-3f12900d556d
caused by: expected element type <ErrorResponse> but have <InvalidSignatureException>

Without Fips:

amazon-ecs-cli ((HEAD detached at H3Fork/hhh-fips)) $ ecs-cli push cats/fluentd --debug
INFO[0000] Getting AWS account ID...
DEBU[0000] Getting authorization token...
DEBU[0000] Checking file cache                           registry=144718711470
DEBU[0000] Using cached token                            registry=144718711470
INFO[0000] Tagging image                                 image=cats/fluentd repository=144718711470.dkr.ecr.us-west-2.amazonaws.com/cats/fluentd tag=
INFO[0000] Image tagged
DEBU[0000] Check if repository exists                    repository=cats/fluentd
INFO[0000] Pushing image                                 repository=144718711470.dkr.ecr.us-west-2.amazonaws.com/cats/fluentd tag=
INFO[0001] Image pushed

☹️

ecs-cli/modules/cli/image/image_app_test.go Show resolved Hide resolved
@SoManyHs
Copy link
Contributor Author

InvalidSignatureException issue fixed:

$ ecs-cli images --debug
DEBU[0000] Getting images from ECR...

REPOSITORY NAME      TAG                 IMAGE DIGEST                                                              PUSHED AT           SIZE
scorekeep-frontend   latest              sha256:f9cf77bbe58c7654015438d7fad0bad3a4ef6f572760cb7f7d0ab8aa74451103   2 months ago        44.7 MB
xray-daemon          latest              sha256:bbde8db0255093110d80eb2eec66994402e89678f23bd077eee6b97bfb718766   2 months ago        117 MB
scorekeep-api        latest              sha256:e9003b7c4b2ffc5f9e5bac6331fc690371578cc2e0c1e0eec2eb038be7b5f9d1   2 months ago        91.7 MB
drkiq_drkiq          latest              sha256:759de045cd0a918a841520d5b1c12bacab4701d21f20e7e980ccdf1245593825   5 minutes ago       230 MB

$ ecs-cli images --debug --use-fips
DEBU[0000] Using FIPS endpoint: https://ecr-fips.us-west-2.amazonaws.com
DEBU[0000] Getting images from ECR...

REPOSITORY NAME      TAG                 IMAGE DIGEST                                                              PUSHED AT           SIZE
scorekeep-frontend   latest              sha256:f9cf77bbe58c7654015438d7fad0bad3a4ef6f572760cb7f7d0ab8aa74451103   2 months ago        44.7 MB
xray-daemon          latest              sha256:bbde8db0255093110d80eb2eec66994402e89678f23bd077eee6b97bfb718766   2 months ago        117 MB
scorekeep-api        latest              sha256:e9003b7c4b2ffc5f9e5bac6331fc690371578cc2e0c1e0eec2eb038be7b5f9d1   2 months ago        91.7 MB
drkiq_drkiq          latest              sha256:759de045cd0a918a841520d5b1c12bacab4701d21f20e7e980ccdf1245593825   5 minutes ago       230 MB

$ ecs-cli push drkiq_drkiq --debug
INFO[0000] Getting AWS account ID...
DEBU[0000] Getting authorization token...
DEBU[0000] Checking file cache                           registry=xxxxxxxxxx51
DEBU[0000] Calling ECR.GetAuthorizationToken             registry=xxxxxxxxxx51
DEBU[0000] Saving credentials to file cache              registry=xxxxxxxxxx51
DEBU[0000] Retrieved authorization token via endpoint: https://xxxxxxxxxx51.dkr.ecr.us-west-2.amazonaws.com
INFO[0000] Tagging image                                 image=drkiq_drkiq repository=xxxxxxxxxx51.dkr.ecr.us-west-2.amazonaws.com/drkiq_drkiq tag=
INFO[0000] Image tagged
DEBU[0000] Check if repository exists                    repository=drkiq_drkiq
INFO[0000] Pushing image                                 repository=xxxxxxxxxx51.dkr.ecr.us-west-2.amazonaws.com/drkiq_drkiq tag=
INFO[0001] Image pushed

$ ecs-cli push drkiq_drkiq --use-fips --debug
DEBU[0000] Using FIPS endpoint: https://ecr-fips.us-west-2.amazonaws.com
INFO[0000] Getting AWS account ID...
DEBU[0000] Getting authorization token...
DEBU[0000] Checking file cache                           registry=xxxxxxxxxx51
DEBU[0000] Calling ECR.GetAuthorizationToken             registry=xxxxxxxxxx51
DEBU[0000] Saving credentials to file cache              registry=xxxxxxxxxx51
DEBU[0000] Retrieved authorization token via endpoint: https://xxxxxxxxxx51.dkr.ecr-fips.us-west-2.amazonaws.com
INFO[0000] Tagging image                                 image=drkiq_drkiq repository=xxxxxxxxxx51.dkr.ecr-fips.us-west-2.amazonaws.com/drkiq_drkiq tag=
INFO[0000] Image tagged
DEBU[0000] Check if repository exists                    repository=drkiq_drkiq
INFO[0000] Pushing image                                 repository=xxxxxxxxxx51.dkr.ecr-fips.us-west-2.amazonaws.com/drkiq_drkiq tag=
INFO[0002] Image pushed


$  ecs-cli pull drkiq_drkiq  --debug
INFO[0000] Getting AWS account ID...
DEBU[0000] Getting authorization token...
DEBU[0000] Checking file cache                           registry=xxxxxxxxxx51
DEBU[0000] Using cached token                            registry=xxxxxxxxxx51
DEBU[0000] Retrieved authorization token via endpoint: https://xxxxxxxxxx51.dkr.ecr.us-west-2.amazonaws.com
INFO[0000] Pulling image                                 repository=xxxxxxxxxx51.dkr.ecr.us-west-2.amazonaws.com/drkiq_drkiq tag=
INFO[0000] Image pulled

$  ecs-cli pull drkiq_drkiq --use-fips --debug
DEBU[0000] Using FIPS endpoint: https://ecr-fips.us-west-2.amazonaws.com
INFO[0000] Getting AWS account ID...
DEBU[0000] Getting authorization token...
DEBU[0000] Checking file cache                           registry=xxxxxxxxxx51
DEBU[0000] Using cached token                            registry=xxxxxxxxxx51
DEBU[0000] Retrieved authorization token via endpoint: https://xxxxxxxxxx51.dkr.ecr-fips.us-west-2.amazonaws.com
INFO[0000] Pulling image                                 repository=xxxxxxxxxx51.dkr.ecr-fips.us-west-2.amazonaws.com/drkiq_drkiq tag=
INFO[0001] Image pulled

PettitWesley
PettitWesley reviewed Jan 15, 2019
View reviewed changes
Copy link
Contributor

@PettitWesley PettitWesley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SoManyHs I think FIPs support should be advertised in our README

ecs-cli/modules/cli/image/image_app_test.go Show resolved Hide resolved
allisaurus
allisaurus reviewed Jan 15, 2019
View reviewed changes
ecs-cli/modules/cli/image/image_app.go Outdated Show resolved Hide resolved
ecs-cli/modules/cli/image/image_app_test.go
uri := "012345678912.dkr.ecr.us-east-1.amazonaws.com"
expectedImage := uri + "/" + repository
observedRegistryURI, observedRepo, observedTag, err := splitImageName(expectedImage, "[:|@]", "format")
tests := []struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 table driven tests

PettitWesley
PettitWesley approved these changes Jan 16, 2019
View reviewed changes
Copy link
Contributor

@PettitWesley PettitWesley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment, but :shipit:

README.md Outdated
@@ -984,6 +984,24 @@ INFO[0018] Started container... container=bf35a813-dd76-4fe0-b5a2-c1334c2331f4/l

For more information about using private registries with ECS, see [Private Registry Authentication for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html).

### Using FIPS Endpoints
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be added to the table of contents?

@SoManyHs SoManyHs merged commit e5e29d7 into aws:dev Jan 16, 2019
@SoManyHs SoManyHs deleted the hhh-fips branch January 16, 2019 23:36
@sonofachamp sonofachamp mentioned this pull request Nov 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelkarp samuelkarp samuelkarp left review comments

@allisaurus allisaurus allisaurus approved these changes

@PettitWesley PettitWesley PettitWesley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@SoManyHs @samuelkarp @PettitWesley @allisaurus