aws_ecr_proxy

module

v0.0.0-...-000e69e Latest Latest Go to latest Published: Jul 5, 2020 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/terrycain/aws_ecr_proxy

Links

Open Source Insights

README ¶

AWS ECR Proxy

Simple ECR proxy which manages AWS ECR authentication and handles the Link headers. The container also has endpoints for Kubernetes liveness and readiness probes.

Usage

CLI Example

Example usage:

docker run -e AWS_REGION=eu-west-1 \
           -e AWS_SECRET_ACCESS_KEY=blah \
           -e AWS_ACCESS_KEY_ID=blah \
           --name registry --rm -i \
           -p 8080:8080 terrycain/aws_ecr_proxy:latest

Environment Variables

AWS_REGION - Confiures the AWS SDK's region. This will determine which regions ECR images are available
AWS_ACCESS_KEY_ID - AWS Access Key
AWS_SECRET_ACCESS_KEY - AWS Secret Key
LOG_LEVEL - Default INFO - Sets the logging level, one of: DEBUG, INFO, WARN, ERROR
LISTEN_PORT - Default 8080
LISTEN_HOST - Default 0.0.0.0
DISABLE_PROXY_HEADERS - Default false - If set to true then the proxy will ignore X-Forwarded-* and X-Real-IP headers. The only time you would want to set this is if the proxy is not sad behind a reverse proxy.

This proxy uses the standard AWS SDK, so it is entirely possible the AWS specific environment variables can be omitted and the proxy should attempt to authenticate using an appropriate IAM role, but this is untested.

Kubernetes

Below is a Kubernetes deployment manifest, including annotations for flux to update the container using the semver matcher and including appropriate lifecycle probes. AWS access keys are passed in using Kubernetes secrets.

TODOMANIFEST

How it works

On startup, the proxy will start off a loop to grab an ECR token and continuously renew it roughly every 12 hours (unless amazon change the expiry).

On request, it'll inject an Authorization header containing the ECR token. Before serving ECR's response it will modify any Link headers which are used for pagination and contain ECR urls; the header will have its links updated with links referencing the proxy.

Why

The reason I created this was, FluxCD was not playing ball with ECR when ran outside of AWS, and the standard NGINX ECR proxies don't handle Link headers which Docker registries use for pagination, which results in Flux complaining about the registry requiring authentication. Until the pagination kicked in the standard proxy https://github.com/catalinpan/aws-ecr-proxy worked fine.

Todo

add support to listen with TLS
request logging

Directories ¶

Path	Synopsis
cmd
aws_ecr_proxy
internal
ecr_token
proxy_server
utils
version

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL