From 76e4042dc0427e4720cb6d63ec11c617ec474a44 Mon Sep 17 00:00:00 2001 From: Shalom Yerushalmy Date: Mon, 29 Jan 2024 08:57:04 +0200 Subject: [PATCH 1/4] add fixes --- Dockerfile | 34 +++++++++++++++++++++++++++++++--- files/renew_token.sh | 2 +- files/startup.sh | 29 ++--------------------------- 3 files changed, 34 insertions(+), 31 deletions(-) diff --git a/Dockerfile b/Dockerfile index 43ed49a..4885e8a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,40 @@ -FROM openresty/openresty:1.19.9.1-12-alpine +#FROM --platform=linux/amd64 openresty/openresty:1.25.3.1-0-jammy + +#USER root +#RUN apt update +#RUN apt install curl nginx unzip bind9 bind9utils bind9-doc dnsutils python3 python3-pip python3-urllib3 python3-colorama supervisor -y +#RUN mkdir /cache \ +# && addgroup nginx \ +# && adduser --uid 110 --no-create-home --disabled-login --home /cache --shell /sbin/nologin --ingroup nginx nginx \ +# && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \ +# && unzip awscliv2.zip \ +# && ./aws/install +# +#COPY files/startup.sh files/renew_token.sh files/health-check.sh / +#COPY files/ecr.ini /etc/supervisor.d/ecr.ini +#COPY files/root /etc/crontabs/root +# +#COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf +#COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf +# +#ENV PORT 5000 +#RUN chmod a+x /startup.sh /renew_token.sh +# +#HEALTHCHECK --interval=5s --timeout=5s --retries=3 CMD /health-check.sh +# +#ENTRYPOINT ["/startup.sh"] +##CMD ["/usr/bin/supervisord"] +#CMD ["sleep", "100000000"] + + +FROM --platform=linux/amd64 openresty/openresty:1.25.3.1-0-alpine USER root -RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor \ +RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor aws-cli \ && mkdir /cache \ && addgroup -g 110 nginx \ && adduser -u 110 -D -S -h /cache -s /sbin/nologin -G nginx nginx \ - && pip install --upgrade pip awscli==1.11.183 \ && apk -v --purge del py-pip COPY files/startup.sh files/renew_token.sh files/health-check.sh / diff --git a/files/renew_token.sh b/files/renew_token.sh index 8de0a33..44b08ca 100755 --- a/files/renew_token.sh +++ b/files/renew_token.sh @@ -8,7 +8,7 @@ AUTH=$(grep X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r") # retry till new get new token while true; do - TOKEN=$(aws ecr get-login --no-include-email | awk '{print $6}') + TOKEN=$(aws ecr get-login-password | awk '{print $6}') [ ! -z "${TOKEN}" ] && break echo "Warn: Unable to get new token, wait and retry!" sleep 30 diff --git a/files/startup.sh b/files/startup.sh index b56052b..a5c0959 100755 --- a/files/startup.sh +++ b/files/startup.sh @@ -18,19 +18,7 @@ if [ -z "$RESOLVER" ] ; then exit 1 fi -if [ -z "$AWS_REGION" ] ; then - echo "AWS_REGION not set." - exit 1 -fi - -if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then - if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set." - exit 1 - fi -fi - -UPSTREAM_WITHOUT_PORT=$( echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g") +UPSTREAM_WITHOUT_PORT=$(echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g") echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short ${UPSTREAM_WITHOUT_PORT})] as upstream. CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g} @@ -64,22 +52,9 @@ sed -i -e s!SSL_LISTEN!"$SSL_LISTEN"!g $CONFIG # Update health-check sed -i -e s!PORT!"$PORT"!g /health-check.sh -# setup ~/.aws directory -AWS_FOLDER='/root/.aws' -mkdir -p ${AWS_FOLDER} -echo "[default]" > ${AWS_FOLDER}/config -echo "region = $AWS_REGION" >> ${AWS_FOLDER}/config - -if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then - echo "[default]" > ${AWS_FOLDER}/credentials - echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> ${AWS_FOLDER}/credentials - echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> ${AWS_FOLDER}/credentials -fi -chmod 600 -R ${AWS_FOLDER} - # add the auth token in default.conf AUTH=$(grep X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r") -TOKEN=$(aws ecr get-login --no-include-email | awk '{print $6}') +TOKEN=$(aws ecr get-login-password | awk '{print $6}') AUTH_N=$(echo AWS:${TOKEN} | base64 |tr -d "[:space:]") sed -i "s|${AUTH%??}|${AUTH_N}|g" $CONFIG From 9089cee4fe12bfc7b26481234dd1f0a4512964f7 Mon Sep 17 00:00:00 2001 From: Shalom Yerushalmy Date: Mon, 29 Jan 2024 10:20:27 +0200 Subject: [PATCH 2/4] finalize --- Dockerfile | 29 ----------------------------- files/renew_token.sh | 4 +--- files/startup.sh | 10 ++++++---- 3 files changed, 7 insertions(+), 36 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4885e8a..af06a11 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,32 +1,3 @@ -#FROM --platform=linux/amd64 openresty/openresty:1.25.3.1-0-jammy - -#USER root -#RUN apt update -#RUN apt install curl nginx unzip bind9 bind9utils bind9-doc dnsutils python3 python3-pip python3-urllib3 python3-colorama supervisor -y -#RUN mkdir /cache \ -# && addgroup nginx \ -# && adduser --uid 110 --no-create-home --disabled-login --home /cache --shell /sbin/nologin --ingroup nginx nginx \ -# && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \ -# && unzip awscliv2.zip \ -# && ./aws/install -# -#COPY files/startup.sh files/renew_token.sh files/health-check.sh / -#COPY files/ecr.ini /etc/supervisor.d/ecr.ini -#COPY files/root /etc/crontabs/root -# -#COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf -#COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf -# -#ENV PORT 5000 -#RUN chmod a+x /startup.sh /renew_token.sh -# -#HEALTHCHECK --interval=5s --timeout=5s --retries=3 CMD /health-check.sh -# -#ENTRYPOINT ["/startup.sh"] -##CMD ["/usr/bin/supervisord"] -#CMD ["sleep", "100000000"] - - FROM --platform=linux/amd64 openresty/openresty:1.25.3.1-0-alpine USER root diff --git a/files/renew_token.sh b/files/renew_token.sh index 44b08ca..1f096ec 100755 --- a/files/renew_token.sh +++ b/files/renew_token.sh @@ -1,14 +1,12 @@ #!/bin/sh -set -xe - # update the auth token CONFIG=/usr/local/openresty/nginx/conf/nginx.conf AUTH=$(grep X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r") # retry till new get new token while true; do - TOKEN=$(aws ecr get-login-password | awk '{print $6}') + TOKEN=$(aws ecr get-login-password) [ ! -z "${TOKEN}" ] && break echo "Warn: Unable to get new token, wait and retry!" sleep 30 diff --git a/files/startup.sh b/files/startup.sh index a5c0959..136f129 100755 --- a/files/startup.sh +++ b/files/startup.sh @@ -1,8 +1,5 @@ #!/bin/sh -set -e -set -x - if [ -z "$UPSTREAM" ] ; then echo "UPSTREAM not set." exit 1 @@ -18,6 +15,11 @@ if [ -z "$RESOLVER" ] ; then exit 1 fi +if [ -z "$AWS_REGION" ] ; then + echo "AWS_REGION not set." + exit 1 +fi + UPSTREAM_WITHOUT_PORT=$(echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g") echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short ${UPSTREAM_WITHOUT_PORT})] as upstream. @@ -54,7 +56,7 @@ sed -i -e s!PORT!"$PORT"!g /health-check.sh # add the auth token in default.conf AUTH=$(grep X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r") -TOKEN=$(aws ecr get-login-password | awk '{print $6}') +TOKEN=$(aws ecr get-login-password) AUTH_N=$(echo AWS:${TOKEN} | base64 |tr -d "[:space:]") sed -i "s|${AUTH%??}|${AUTH_N}|g" $CONFIG From fe6ccf51e91e56870c7072cfc518f58fce4561ed Mon Sep 17 00:00:00 2001 From: Shalom Yerushalmy Date: Mon, 29 Jan 2024 10:46:26 +0200 Subject: [PATCH 3/4] update readme --- README.md | 40 ++++++---------------------------------- 1 file changed, 6 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 3e19778..848ecc6 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,6 @@

- - - - - + +

# aws-ecr-http-proxy @@ -16,9 +13,6 @@ The proxy is packaged in a docker container and can be configured with following | Environment Variable | Description | Status | Default | | :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: | | `AWS_REGION` | AWS Region for AWS ECR | Required | | -| `AWS_ACCESS_KEY_ID` | AWS Account Access Key ID | Optional | | -| `AWS_SECRET_ACCESS_KEY` | AWS Account Secret Access Key | Optional | | -| `AWS_USE_EC2_ROLE_FOR_AUTH` | Set this to true if we do want to use aws roles for authentication instead of providing the secret and access keys explicitly | Optional | | | `UPSTREAM` | URL for AWS ECR | Required | | | `RESOLVER` | DNS server to be used by proxy | Required | | | `PORT` | Port on which proxy listens | Required | | @@ -32,44 +26,22 @@ The proxy is packaged in a docker container and can be configured with following ```sh docker run -d --name docker-registry-proxy --net=host \ - -v /registry/local-storage/cache:/cache \ - -v /registry/certificate.pem:/opt/ssl/certificate.pem \ - -v /registry/key.pem:/opt/ssl/key.pem \ + -v $(pwd)/cache:/cache \ + -v $(pwd)/roles/docker-registry-proxy/files/certificate.pem:/opt/ssl/certificate.pem \ + -v $(pwd)/roles/docker-registry-proxy/files/key.pem:/opt/ssl/key.pem \ -e PORT=5000 \ -e RESOLVER=8.8.8.8 \ -e UPSTREAM=https://XXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com \ - -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ - -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ -e AWS_REGION=${AWS_DEFAULT_REGION} \ -e CACHE_MAX_SIZE=100g \ -e ENABLE_SSL=true \ -e REGISTRY_HTTP_TLS_KEY=/opt/ssl/key.pem \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/opt/ssl/certificate.pem \ - esailors/aws-ecr-http-proxy:latest + yershalom/aws-ecr-proxy:latest ``` If you ran this command on "registry-proxy.example.com" you can now get your images using `docker pull registry-proxy.example.com:5000/repo/image`. -### Deploying the proxy - -#### Deploying with ansible - -Modify the ansible role [variables](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/defaults) according to your need and run the playbook as follow: -```sh -ansible-playbook -i hosts playbook-docker-registry-proxy.yaml -``` -In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in [roles/docker-registry-proxy/files/*.pem](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/files) - -#### Deploying on Kubernetes with Helm -You can install on Kubernetes using the [community-maintained chart](https://github.com/evryfs/helm-charts/tree/master/charts/ecr-proxy) like this: - -```shell -helm repo add evryfs-oss https://evryfs.github.io/helm-charts/ -helm install evryfs-oss/ecr-proxy --name ecr-proxy --namespace ecr-proxy -``` - -See the [values-file](https://github.com/evryfs/helm-charts/blob/master/charts/ecr-proxy/values.yaml) for configuration parameters. - ### Note on SSL/TLS The proxy is using `HTTP` (plain text) as default protocol for now. So in order to avoid docker client complaining either: From 73494301adc6ff90017e7b51eb77a397a34e49d0 Mon Sep 17 00:00:00 2001 From: Shalom Yerushalmy Date: Mon, 29 Jan 2024 10:51:11 +0200 Subject: [PATCH 4/4] add docker test build --- .github/workflows/pr.yml | 14 ++++++++++++++ .idea/.gitignore | 8 ++++++++ 2 files changed, 22 insertions(+) create mode 100644 .github/workflows/pr.yml create mode 100644 .idea/.gitignore diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 0000000..d5159e9 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,14 @@ +name: Test docker build + +on: + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Build the Docker image + run: docker build . --file Dockerfile \ No newline at end of file diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 0000000..13566b8 --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,8 @@ +# Default ignored files +/shelf/ +/workspace.xml +# Editor-based HTTP Client requests +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml