diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 0000000..d5159e9 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,14 @@ +name: Test docker build + +on: + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Build the Docker image + run: docker build . --file Dockerfile \ No newline at end of file diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 0000000..13566b8 --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,8 @@ +# Default ignored files +/shelf/ +/workspace.xml +# Editor-based HTTP Client requests +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml diff --git a/Dockerfile b/Dockerfile index 43ed49a..af06a11 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,11 @@ -FROM openresty/openresty:1.19.9.1-12-alpine +FROM --platform=linux/amd64 openresty/openresty:1.25.3.1-0-alpine USER root -RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor \ +RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor aws-cli \ && mkdir /cache \ && addgroup -g 110 nginx \ && adduser -u 110 -D -S -h /cache -s /sbin/nologin -G nginx nginx \ - && pip install --upgrade pip awscli==1.11.183 \ && apk -v --purge del py-pip COPY files/startup.sh files/renew_token.sh files/health-check.sh / diff --git a/README.md b/README.md index 3e19778..848ecc6 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,6 @@

- - - - - + +

# aws-ecr-http-proxy @@ -16,9 +13,6 @@ The proxy is packaged in a docker container and can be configured with following | Environment Variable | Description | Status | Default | | :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: | | `AWS_REGION` | AWS Region for AWS ECR | Required | | -| `AWS_ACCESS_KEY_ID` | AWS Account Access Key ID | Optional | | -| `AWS_SECRET_ACCESS_KEY` | AWS Account Secret Access Key | Optional | | -| `AWS_USE_EC2_ROLE_FOR_AUTH` | Set this to true if we do want to use aws roles for authentication instead of providing the secret and access keys explicitly | Optional | | | `UPSTREAM` | URL for AWS ECR | Required | | | `RESOLVER` | DNS server to be used by proxy | Required | | | `PORT` | Port on which proxy listens | Required | | @@ -32,44 +26,22 @@ The proxy is packaged in a docker container and can be configured with following ```sh docker run -d --name docker-registry-proxy --net=host \ - -v /registry/local-storage/cache:/cache \ - -v /registry/certificate.pem:/opt/ssl/certificate.pem \ - -v /registry/key.pem:/opt/ssl/key.pem \ + -v $(pwd)/cache:/cache \ + -v $(pwd)/roles/docker-registry-proxy/files/certificate.pem:/opt/ssl/certificate.pem \ + -v $(pwd)/roles/docker-registry-proxy/files/key.pem:/opt/ssl/key.pem \ -e PORT=5000 \ -e RESOLVER=8.8.8.8 \ -e UPSTREAM=https://XXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com \ - -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ - -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ -e AWS_REGION=${AWS_DEFAULT_REGION} \ -e CACHE_MAX_SIZE=100g \ -e ENABLE_SSL=true \ -e REGISTRY_HTTP_TLS_KEY=/opt/ssl/key.pem \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/opt/ssl/certificate.pem \ - esailors/aws-ecr-http-proxy:latest + yershalom/aws-ecr-proxy:latest ``` If you ran this command on "registry-proxy.example.com" you can now get your images using `docker pull registry-proxy.example.com:5000/repo/image`. -### Deploying the proxy - -#### Deploying with ansible - -Modify the ansible role [variables](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/defaults) according to your need and run the playbook as follow: -```sh -ansible-playbook -i hosts playbook-docker-registry-proxy.yaml -``` -In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in [roles/docker-registry-proxy/files/*.pem](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/files) - -#### Deploying on Kubernetes with Helm -You can install on Kubernetes using the [community-maintained chart](https://github.com/evryfs/helm-charts/tree/master/charts/ecr-proxy) like this: - -```shell -helm repo add evryfs-oss https://evryfs.github.io/helm-charts/ -helm install evryfs-oss/ecr-proxy --name ecr-proxy --namespace ecr-proxy -``` - -See the [values-file](https://github.com/evryfs/helm-charts/blob/master/charts/ecr-proxy/values.yaml) for configuration parameters. - ### Note on SSL/TLS The proxy is using `HTTP` (plain text) as default protocol for now. So in order to avoid docker client complaining either: diff --git a/files/renew_token.sh b/files/renew_token.sh index 8de0a33..1f096ec 100755 --- a/files/renew_token.sh +++ b/files/renew_token.sh @@ -1,14 +1,12 @@ #!/bin/sh -set -xe - # update the auth token CONFIG=/usr/local/openresty/nginx/conf/nginx.conf AUTH=$(grep X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r") # retry till new get new token while true; do - TOKEN=$(aws ecr get-login --no-include-email | awk '{print $6}') + TOKEN=$(aws ecr get-login-password) [ ! -z "${TOKEN}" ] && break echo "Warn: Unable to get new token, wait and retry!" sleep 30 diff --git a/files/startup.sh b/files/startup.sh index b56052b..136f129 100755 --- a/files/startup.sh +++ b/files/startup.sh @@ -1,8 +1,5 @@ #!/bin/sh -set -e -set -x - if [ -z "$UPSTREAM" ] ; then echo "UPSTREAM not set." exit 1 @@ -23,14 +20,7 @@ if [ -z "$AWS_REGION" ] ; then exit 1 fi -if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then - if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set." - exit 1 - fi -fi - -UPSTREAM_WITHOUT_PORT=$( echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g") +UPSTREAM_WITHOUT_PORT=$(echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g") echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short ${UPSTREAM_WITHOUT_PORT})] as upstream. CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g} @@ -64,22 +54,9 @@ sed -i -e s!SSL_LISTEN!"$SSL_LISTEN"!g $CONFIG # Update health-check sed -i -e s!PORT!"$PORT"!g /health-check.sh -# setup ~/.aws directory -AWS_FOLDER='/root/.aws' -mkdir -p ${AWS_FOLDER} -echo "[default]" > ${AWS_FOLDER}/config -echo "region = $AWS_REGION" >> ${AWS_FOLDER}/config - -if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then - echo "[default]" > ${AWS_FOLDER}/credentials - echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> ${AWS_FOLDER}/credentials - echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> ${AWS_FOLDER}/credentials -fi -chmod 600 -R ${AWS_FOLDER} - # add the auth token in default.conf AUTH=$(grep X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r") -TOKEN=$(aws ecr get-login --no-include-email | awk '{print $6}') +TOKEN=$(aws ecr get-login-password) AUTH_N=$(echo AWS:${TOKEN} | base64 |tr -d "[:space:]") sed -i "s|${AUTH%??}|${AUTH_N}|g" $CONFIG