Merge pull request #1 from cyeragit/change-base-image-due-to-token-ch…

…anges

.github/workflows/pr.yml

@@ -0,0 +1,14 @@
+name: Test docker build
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        steps:
+        - uses: actions/checkout@v3
+        - name: Build the Docker image
+          run: docker build . --file Dockerfile

Dockerfile

@@ -1,12 +1,11 @@
-FROM openresty/openresty:1.19.9.1-12-alpine
+FROM --platform=linux/amd64 openresty/openresty:1.25.3.1-0-alpine
 
 USER root
 
-RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor \
+RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor aws-cli \
  && mkdir /cache \
  && addgroup -g 110 nginx \
  && adduser -u 110  -D -S -h /cache -s /sbin/nologin -G nginx nginx \
- && pip install --upgrade pip awscli==1.11.183 \
  && apk -v --purge del py-pip
 
 COPY files/startup.sh files/renew_token.sh files/health-check.sh  /

README.md

@@ -1,9 +1,6 @@
 <p align="left">
-    <a href="https://hub.docker.com/r/esailors/aws-ecr-http-proxy" alt="Pulls">
-        <img src="https://img.shields.io/docker/pulls/esailors/aws-ecr-http-proxy" /></a>
-    <a href="https://www.esailors.de" alt="Maintained">
-        <img src="https://img.shields.io/maintenance/yes/2022.svg" /></a>
-
+    <a href="https://hub.docker.com/r/yershalom/aws-ecr-proxy" alt="Pulls">
+        <img src="https://img.shields.io/docker/pulls/yershalom/aws-ecr-proxy" /></a>
 </p>
 
 # aws-ecr-http-proxy
@@ -16,9 +13,6 @@ The proxy is packaged in a docker container and can be configured with following
 | Environment Variable                | Description                                    | Status                            | Default    |
 | :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: |
 | `AWS_REGION`                        | AWS Region for AWS ECR                         | Required                          |            |
-| `AWS_ACCESS_KEY_ID`                 | AWS Account Access Key ID                      | Optional                          |            |
-| `AWS_SECRET_ACCESS_KEY`             | AWS Account Secret Access Key                  | Optional                          |            |
-| `AWS_USE_EC2_ROLE_FOR_AUTH`                  | Set this to true if we do want to use aws roles for authentication instead of providing the secret and access keys explicitly | Optional                          |            |
 | `UPSTREAM`                          | URL for AWS ECR                                | Required                          |            |
 | `RESOLVER`                          | DNS server to be used by proxy                 | Required                          |            |
 | `PORT`                              | Port on which proxy listens                    | Required                          |            |
@@ -32,44 +26,22 @@ The proxy is packaged in a docker container and can be configured with following
 
 ```sh
 docker run -d --name docker-registry-proxy --net=host \
-  -v /registry/local-storage/cache:/cache \
-  -v /registry/certificate.pem:/opt/ssl/certificate.pem \
-  -v /registry/key.pem:/opt/ssl/key.pem \
+  -v $(pwd)/cache:/cache \
+  -v $(pwd)/roles/docker-registry-proxy/files/certificate.pem:/opt/ssl/certificate.pem \
+  -v $(pwd)/roles/docker-registry-proxy/files/key.pem:/opt/ssl/key.pem \
   -e PORT=5000 \
   -e RESOLVER=8.8.8.8 \
   -e UPSTREAM=https://XXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com \
-  -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-  -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
   -e AWS_REGION=${AWS_DEFAULT_REGION} \
   -e CACHE_MAX_SIZE=100g \
   -e ENABLE_SSL=true \
   -e REGISTRY_HTTP_TLS_KEY=/opt/ssl/key.pem \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/opt/ssl/certificate.pem \
-  esailors/aws-ecr-http-proxy:latest
+  yershalom/aws-ecr-proxy:latest
 ```
 
 If you ran this command on "registry-proxy.example.com" you can now get your images using `docker pull registry-proxy.example.com:5000/repo/image`.
 
-### Deploying the proxy
-
-#### Deploying with ansible
-
-Modify the ansible role [variables](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/defaults) according to your need and run the playbook as follow:
-```sh
-ansible-playbook -i hosts playbook-docker-registry-proxy.yaml
-```
-In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in [roles/docker-registry-proxy/files/*.pem](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/files)
-
-#### Deploying on Kubernetes with Helm
-You can install on Kubernetes using the [community-maintained chart](https://github.com/evryfs/helm-charts/tree/master/charts/ecr-proxy) like this:
-
-```shell
-helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
-helm install evryfs-oss/ecr-proxy --name ecr-proxy --namespace ecr-proxy
-```
-
-See the [values-file](https://github.com/evryfs/helm-charts/blob/master/charts/ecr-proxy/values.yaml) for configuration parameters.
-
 
 ### Note on SSL/TLS
 The proxy is using `HTTP` (plain text) as default protocol for now. So in order to avoid docker client complaining either:

files/renew_token.sh

@@ -1,14 +1,12 @@
 #!/bin/sh
 
-set -xe
-
 # update the auth token
 CONFIG=/usr/local/openresty/nginx/conf/nginx.conf
 AUTH=$(grep  X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r")
 
 # retry till new get new token
 while true; do
-  TOKEN=$(aws ecr get-login --no-include-email | awk '{print $6}')
+  TOKEN=$(aws ecr get-login-password)
   [ ! -z "${TOKEN}" ] && break
   echo "Warn: Unable to get new token, wait and retry!"
   sleep 30

files/startup.sh

@@ -1,8 +1,5 @@
 #!/bin/sh
 
-set -e
-set -x
-
 if [ -z "$UPSTREAM" ] ; then
   echo "UPSTREAM not set."
   exit 1
@@ -23,14 +20,7 @@ if [ -z "$AWS_REGION" ] ; then
   exit 1
 fi
 
-if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then
-  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
-    echo "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set."
-    exit 1
-  fi
-fi
-
-UPSTREAM_WITHOUT_PORT=$( echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g")
+UPSTREAM_WITHOUT_PORT=$(echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g")
 echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short  ${UPSTREAM_WITHOUT_PORT})] as upstream.
 
 CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g}
@@ -64,22 +54,9 @@ sed -i -e s!SSL_LISTEN!"$SSL_LISTEN"!g $CONFIG
 # Update health-check
 sed -i -e s!PORT!"$PORT"!g /health-check.sh
 
-# setup ~/.aws directory
-AWS_FOLDER='/root/.aws'
-mkdir -p ${AWS_FOLDER}
-echo "[default]" > ${AWS_FOLDER}/config
-echo "region = $AWS_REGION" >> ${AWS_FOLDER}/config
-
-if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then
-  echo "[default]" > ${AWS_FOLDER}/credentials
-  echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> ${AWS_FOLDER}/credentials
-  echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> ${AWS_FOLDER}/credentials
-fi
-chmod 600 -R ${AWS_FOLDER}
-
 # add the auth token in default.conf
 AUTH=$(grep  X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r")
-TOKEN=$(aws ecr get-login --no-include-email | awk '{print $6}')
+TOKEN=$(aws ecr get-login-password)
 AUTH_N=$(echo AWS:${TOKEN}  | base64 |tr -d "[:space:]")
 sed -i "s|${AUTH%??}|${AUTH_N}|g" $CONFIG