From 1b33c6fb1ece6071c7a360e00e3145042382498b Mon Sep 17 00:00:00 2001 From: Krzysztof Warunek Date: Wed, 18 Sep 2024 22:58:03 +0200 Subject: [PATCH 1/5] Back to upstream and upgrade deps, refactor. Reinitialization --- .github/workflows/docker-publish.yml | 98 +++++++++++++++++++ CHANGELOG.md | 21 ++++ Dockerfile | 25 +++-- LICENSE | 21 ---- README.md | 87 ++++++++-------- {files => config/nginx}/nginx.conf | 32 +++--- {files => config/nginx}/ssl.conf | 4 +- .../supervisord/programs.ini | 0 files/health-check.sh | 2 - files/root | 3 - files/startup.sh | 89 ----------------- hosts | 2 - playbook-docker-registry-proxy.yaml | 3 - roles/docker-registry-proxy/defaults/main.yml | 18 ---- .../files/certificate.pem | 32 ------ roles/docker-registry-proxy/files/key.pem | 52 ---------- roles/docker-registry-proxy/tasks/main.yaml | 65 ------------ {files => scripts}/renew_token.sh | 13 ++- scripts/startup.sh | 76 ++++++++++++++ syntax-check.sh | 7 -- 20 files changed, 271 insertions(+), 379 deletions(-) create mode 100644 .github/workflows/docker-publish.yml create mode 100644 CHANGELOG.md delete mode 100644 LICENSE rename {files => config/nginx}/nginx.conf (91%) rename {files => config/nginx}/ssl.conf (80%) rename files/ecr.ini => config/supervisord/programs.ini (100%) delete mode 100755 files/health-check.sh delete mode 100644 files/root delete mode 100755 files/startup.sh delete mode 100644 hosts delete mode 100644 playbook-docker-registry-proxy.yaml delete mode 100644 roles/docker-registry-proxy/defaults/main.yml delete mode 100644 roles/docker-registry-proxy/files/certificate.pem delete mode 100644 roles/docker-registry-proxy/files/key.pem delete mode 100644 roles/docker-registry-proxy/tasks/main.yaml rename {files => scripts}/renew_token.sh (77%) create mode 100755 scripts/startup.sh delete mode 100755 syntax-check.sh diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..b9de757 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,98 @@ +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + schedule: + - cron: '41 23 * * *' + push: + branches: [ "master" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + pull_request: + branches: [ "master" ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: 'v2.2.4' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..c18aed8 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,21 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [2.0.0] - 2024-07-24 + +### Added +- Support for AWS WebIdentity Token +- Support for AWS EC2 metadata +- Log of the AWS identity used +- Support to set custom renewal interval +- Fallback to AWS_REGION, AWS_DEFAULT_REGION and region in ECR URL + +### Changed +- Upgraded to OpenResty 1.21.4.1 +- Upgraded AWS CLI to 1.34.21 +- Environment variables names simplified +- Cleaned up the repository structure \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 43ed49a..1b97bee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,22 @@ -FROM openresty/openresty:1.19.9.1-12-alpine +FROM openresty/openresty:1.21.4.1-0-alpine USER root -RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor \ - && mkdir /cache \ - && addgroup -g 110 nginx \ - && adduser -u 110 -D -S -h /cache -s /sbin/nologin -G nginx nginx \ - && pip install --upgrade pip awscli==1.11.183 \ - && apk -v --purge del py-pip +RUN apk add -v --no-cache bind-tools python3 py-pip py3-urllib3 py3-colorama supervisor +RUN mkdir /cache +RUN mkdir /etc/crontab +RUN addgroup -g 110 nginx && adduser -u 110 -D -S -h /cache -s /sbin/nologin -G nginx nginx +RUN pip install --upgrade pip awscli==1.34.21 -COPY files/startup.sh files/renew_token.sh files/health-check.sh / -COPY files/ecr.ini /etc/supervisor.d/ecr.ini -COPY files/root /etc/crontabs/root +COPY scripts/startup.sh / +COPY scripts/renew_token.sh / +COPY config/supervisord/programs.ini /etc/supervisor.d/programs.ini -COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf -COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf +COPY config/nginx/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf +COPY config/nginx/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf ENV PORT 5000 RUN chmod a+x /startup.sh /renew_token.sh -HEALTHCHECK --interval=5s --timeout=5s --retries=3 CMD /health-check.sh - ENTRYPOINT ["/startup.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 4df4914..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2017 eSailors IT Solutions GmbH - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/README.md b/README.md index 3e19778..4f5bab9 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,49 @@ -

- - - - - -

- # aws-ecr-http-proxy A very simple nginx push/pull proxy that forwards requests to AWS ECR and caches the responses locally. +### Differences Between Fork and Upstream Repository + +- Added support for AWS WebIdentity Token +- Added support for AWS EC2 metadata +- Added log of the AWS identity used +- Added support to set custom renewal interval +- Fallback to AWS_REGION, AWS_DEFAULT_REGION and region in ECR URL +- Upgraded to OpenResty 1.21.4.1 +- Upgraded AWS CLI to 1.34.21 +- Environment variables names simplified +- Cleaned up the repository structure + ### Configuration: The proxy is packaged in a docker container and can be configured with following environment variables: | Environment Variable | Description | Status | Default | | :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: | -| `AWS_REGION` | AWS Region for AWS ECR | Required | | -| `AWS_ACCESS_KEY_ID` | AWS Account Access Key ID | Optional | | -| `AWS_SECRET_ACCESS_KEY` | AWS Account Secret Access Key | Optional | | -| `AWS_USE_EC2_ROLE_FOR_AUTH` | Set this to true if we do want to use aws roles for authentication instead of providing the secret and access keys explicitly | Optional | | -| `UPSTREAM` | URL for AWS ECR | Required | | +| `ECR` | URL for AWS ECR | Required | | | `RESOLVER` | DNS server to be used by proxy | Required | | | `PORT` | Port on which proxy listens | Required | | -| `CACHE_MAX_SIZE` | Maximum size for cache volume | Optional | `75g` | -| `CACHE_KEY` | Cache key used for the content by nginx | Optional | `$uri` | -| `ENABLE_SSL` | Used to enable SSL/TLS for proxy | Optional | `false` | -| `REGISTRY_HTTP_TLS_KEY` | Path to TLS key in the container | Required with TLS | | -| `REGISTRY_HTTP_TLS_CERTIFICATE` | Path to TLS cert in the container | Required with TLS | | +| `CACHE_MAX_SIZE` | Maximum size for cache volume | Optional | `75g` | +| `CACHE_KEY` | Cache key used for the content by nginx | Optional | `$uri` | +| `RENEW_INTERVAL_HOURS` | Interval for renewing the AWS credentials | Optional | `6` | +| `ENABLE_SSL` | Used to enable SSL/TLS for proxy | Optional | `false` | +| `SSL_KEY` | Path to TLS key in the container | Required with SSL | | +| `SSL_CERTIFICATE` | Path to TLS cert in the container | Required with SSL | | + + +AWS identity can be passed: +- using environment variables +- using AWS credentials file (mounted in the container) +- using WebIdentity Token (mounted in the container) +- on AWS EC2 via metadata + +If `AWS_REGION` is not set, it will be deduced from ECR URL. + +| Environment Variable | Description | Status | Default | +| :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: | +| `AWS_REGION` | Region | Optional | | +| `AWS_ACCESS_KEY_ID` | Access key | Optional | | +| `AWS_SECRET_ACCESS_KEY` | Secret key | Optional | | + ### Example: @@ -37,41 +54,17 @@ docker run -d --name docker-registry-proxy --net=host \ -v /registry/key.pem:/opt/ssl/key.pem \ -e PORT=5000 \ -e RESOLVER=8.8.8.8 \ - -e UPSTREAM=https://XXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com \ - -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ - -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ - -e AWS_REGION=${AWS_DEFAULT_REGION} \ + -e ECR=https://XXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com \ -e CACHE_MAX_SIZE=100g \ -e ENABLE_SSL=true \ - -e REGISTRY_HTTP_TLS_KEY=/opt/ssl/key.pem \ - -e REGISTRY_HTTP_TLS_CERTIFICATE=/opt/ssl/certificate.pem \ - esailors/aws-ecr-http-proxy:latest + -e SSL_KEY=/opt/ssl/key.pem \ + -e SSL_CERTIFICATE=/opt/ssl/certificate.pem \ + ghcr.io/dreamlab/aws-ecr-http-proxy:master ``` If you ran this command on "registry-proxy.example.com" you can now get your images using `docker pull registry-proxy.example.com:5000/repo/image`. -### Deploying the proxy - -#### Deploying with ansible - -Modify the ansible role [variables](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/defaults) according to your need and run the playbook as follow: -```sh -ansible-playbook -i hosts playbook-docker-registry-proxy.yaml -``` -In case you want to enable SSL/TLS please replace the SSL certificates with the valid ones in [roles/docker-registry-proxy/files/*.pem](https://github.com/eSailors/aws-ecr-http-proxy/tree/master/roles/docker-registry-proxy/files) - -#### Deploying on Kubernetes with Helm -You can install on Kubernetes using the [community-maintained chart](https://github.com/evryfs/helm-charts/tree/master/charts/ecr-proxy) like this: - -```shell -helm repo add evryfs-oss https://evryfs.github.io/helm-charts/ -helm install evryfs-oss/ecr-proxy --name ecr-proxy --namespace ecr-proxy -``` - -See the [values-file](https://github.com/evryfs/helm-charts/blob/master/charts/ecr-proxy/values.yaml) for configuration parameters. - - ### Note on SSL/TLS The proxy is using `HTTP` (plain text) as default protocol for now. So in order to avoid docker client complaining either: - - (**Recommended**) Enable SSL/TLS using `ENABLE_SSL` configuration. For that you will have to mount your **valid** certificate/key in the container and pass the paths using `REGISTRY_HTTP_TLS_*` variables. + - (**Recommended**) Enable SSL/TLS using `ENABLE_SSL` configuration. For that you will have to mount your **valid** certificate/key in the container and pass the paths using `SSL_*` variables. - Mark the registry host as insecure in your client [deamon config](https://docs.docker.com/registry/insecure/). diff --git a/files/nginx.conf b/config/nginx/nginx.conf similarity index 91% rename from files/nginx.conf rename to config/nginx/nginx.conf index b714aac..6f92f8a 100644 --- a/files/nginx.conf +++ b/config/nginx/nginx.conf @@ -1,10 +1,11 @@ -user nginx; -worker_processes 1; - events { worker_connections 1024; } +user nginx; +worker_processes 1; + + http { include mime.types; default_type application/octet-stream; @@ -12,8 +13,8 @@ http { keepalive_timeout 65; sendfile on; - proxy_cache_path /cache/cache levels=1:2 keys_zone=cache:16m inactive=1y max_size=CACHE_MAX_SIZE use_temp_path=off; - resolver RESOLVER valid=30s; + proxy_cache_path /cache/cache levels=1:2 keys_zone=cache:16m inactive=1y max_size=__CACHE_MAX_SIZE__ use_temp_path=off; + resolver __RESOLVER__ valid=30s; # this is necessary for us to be able to disable request buffering in all cases proxy_http_version 1.1; @@ -27,9 +28,9 @@ http { } server { - listen PORT SSL_LISTEN default_server; + listen __PORT__ __SSL_LISTEN__ default_server; - SSL_INCLUDE + __SSL_INCLUDE__ # Cache add_header X-Cache-Status $upstream_cache_status; @@ -54,15 +55,10 @@ http { add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; add_header "Access-Control-Allow-Origin" "*"; - # health check - location /healthz { - return 200; - } - location / { - set $url UPSTREAM; + set $url __ECR__; proxy_pass $url; - proxy_redirect $url SCHEME://$host:PORT; + proxy_redirect $url __SCHEME__://$host:__PORT__; # Add AWS ECR authentication headers proxy_set_header X-Real-IP $remote_addr; @@ -76,9 +72,9 @@ http { # Content addressable files like blobs. # https://docs.docker.com/registry/spec/api/#blob location ~ ^/v2/.*/blobs/[a-z0-9]+:[a-f0-9]+$ { - set $url UPSTREAM; + set $url __ECR__; proxy_pass $url; - proxy_redirect $url SCHEME://$host:PORT; + proxy_redirect $url __SCHEME__://$host:__PORT__; # Add AWS ECR authentication headers proxy_set_header X-Real-IP $remote_addr; @@ -101,7 +97,7 @@ http { set $saved_redirect_location '$upstream_http_location'; proxy_pass $saved_redirect_location; proxy_cache cache; - proxy_cache_key CACHE_KEY; + proxy_cache_key __CACHE_KEY__; proxy_cache_valid 200 1y; proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; @@ -140,7 +136,7 @@ http { location /get_tags { internal; set_unescape_uri $req_uri $arg_req_uri; - proxy_pass UPSTREAM$req_uri; + proxy_pass __ECR__$req_uri; # Add AWS ECR authentication headers proxy_set_header X-Real-IP $remote_addr; diff --git a/files/ssl.conf b/config/nginx/ssl.conf similarity index 80% rename from files/ssl.conf rename to config/nginx/ssl.conf index 5ef014f..8775753 100644 --- a/files/ssl.conf +++ b/config/nginx/ssl.conf @@ -1,5 +1,5 @@ -ssl_certificate_key REGISTRY_HTTP_TLS_KEY; -ssl_certificate REGISTRY_HTTP_TLS_CERTIFICATE; +ssl_certificate_key __SSL_KEY__; +ssl_certificate __SSL_CERTIFICATE__; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; diff --git a/files/ecr.ini b/config/supervisord/programs.ini similarity index 100% rename from files/ecr.ini rename to config/supervisord/programs.ini diff --git a/files/health-check.sh b/files/health-check.sh deleted file mode 100755 index 5ee60c2..0000000 --- a/files/health-check.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -wget localhost:PORT/healthz -q -O - > /dev/null 2>&1 diff --git a/files/root b/files/root deleted file mode 100644 index 9732173..0000000 --- a/files/root +++ /dev/null @@ -1,3 +0,0 @@ -# Refresh the AWS ECR token periodically. -# min hour day month weekday command -0 */6 * * * /renew_token.sh diff --git a/files/startup.sh b/files/startup.sh deleted file mode 100755 index b56052b..0000000 --- a/files/startup.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/sh - -set -e -set -x - -if [ -z "$UPSTREAM" ] ; then - echo "UPSTREAM not set." - exit 1 -fi - -if [ -z "$PORT" ] ; then - echo "PORT not set." - exit 1 -fi - -if [ -z "$RESOLVER" ] ; then - echo "RESOLVER not set." - exit 1 -fi - -if [ -z "$AWS_REGION" ] ; then - echo "AWS_REGION not set." - exit 1 -fi - -if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then - if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set." - exit 1 - fi -fi - -UPSTREAM_WITHOUT_PORT=$( echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g") -echo Using resolver $RESOLVER and $UPSTREAM [$(dig +short ${UPSTREAM_WITHOUT_PORT})] as upstream. - -CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g} -echo Using cache max size $CACHE_MAX_SIZE - -CACHE_KEY=${CACHE_KEY:='$uri'} -echo Using cache key $CACHE_KEY - -SCHEME=http -CONFIG=/usr/local/openresty/nginx/conf/nginx.conf -SSL_CONFIG=/usr/local/openresty/nginx/conf/ssl.conf - -if [ "$ENABLE_SSL" ]; then - sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSL_CONFIG - sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSL_CONFIG - SSL_LISTEN="ssl" - SSL_INCLUDE="include $SSL_CONFIG;" - SCHEME="https" -fi - -# Update nginx config -sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG -sed -i -e s!PORT!"$PORT"!g $CONFIG -sed -i -e s!RESOLVER!"$RESOLVER"!g $CONFIG -sed -i -e s!CACHE_MAX_SIZE!"$CACHE_MAX_SIZE"!g $CONFIG -sed -i -e s!CACHE_KEY!"$CACHE_KEY"!g $CONFIG -sed -i -e s!SCHEME!"$SCHEME"!g $CONFIG -sed -i -e s!SSL_INCLUDE!"$SSL_INCLUDE"!g $CONFIG -sed -i -e s!SSL_LISTEN!"$SSL_LISTEN"!g $CONFIG - -# Update health-check -sed -i -e s!PORT!"$PORT"!g /health-check.sh - -# setup ~/.aws directory -AWS_FOLDER='/root/.aws' -mkdir -p ${AWS_FOLDER} -echo "[default]" > ${AWS_FOLDER}/config -echo "region = $AWS_REGION" >> ${AWS_FOLDER}/config - -if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then - echo "[default]" > ${AWS_FOLDER}/credentials - echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> ${AWS_FOLDER}/credentials - echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> ${AWS_FOLDER}/credentials -fi -chmod 600 -R ${AWS_FOLDER} - -# add the auth token in default.conf -AUTH=$(grep X-Forwarded-User $CONFIG | awk '{print $4}'| uniq|tr -d "\n\r") -TOKEN=$(aws ecr get-login --no-include-email | awk '{print $6}') -AUTH_N=$(echo AWS:${TOKEN} | base64 |tr -d "[:space:]") -sed -i "s|${AUTH%??}|${AUTH_N}|g" $CONFIG - -# make sure cache directory has correct ownership -chown -R nginx:nginx /cache - -exec "$@" diff --git a/hosts b/hosts deleted file mode 100644 index 1509c55..0000000 --- a/hosts +++ /dev/null @@ -1,2 +0,0 @@ -[docker-registry-proxy] -localhost ansible_connection=local diff --git a/playbook-docker-registry-proxy.yaml b/playbook-docker-registry-proxy.yaml deleted file mode 100644 index 122c390..0000000 --- a/playbook-docker-registry-proxy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- hosts: docker-registry-proxy - roles: - - role: docker-registry-proxy diff --git a/roles/docker-registry-proxy/defaults/main.yml b/roles/docker-registry-proxy/defaults/main.yml deleted file mode 100644 index 7ad11e2..0000000 --- a/roles/docker-registry-proxy/defaults/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -docker_proxy_clear_cache: false -docker_proxy_cache_limit: 75g -docker_proxy_cache_path: /registry/local-storage/cache -docker_proxy_version: latest -docker_proxy_backend: "XXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com" -docker_proxy_backend_schema: https -docker_proxy_backend_resolver: "8.8.8.8" -docker_proxy_ecr_access_id: -docker_proxy_ecr_secret_key: -docker_proxy_ecr_region: - -# ssl config -docker_proxy_ssl_enabled: false -docker_proxy_ssl_copy_certs: false -docker_proxy_ssl_host_path: /registry -docker_proxy_ssl_host_cert_name: certificate.pem -docker_proxy_ssl_host_key_name: key.pem -docker_proxy_ssl_container_path: /opt/nginx diff --git a/roles/docker-registry-proxy/files/certificate.pem b/roles/docker-registry-proxy/files/certificate.pem deleted file mode 100644 index fc3fc52..0000000 --- a/roles/docker-registry-proxy/files/certificate.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFcTCCA1mgAwIBAgIJALWdZASytQRkMA0GCSqGSIb3DQEBCwUAME8xCzAJBgNV -BAYTAkRFMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxFTATBgNVBAoMDGVTYWlsb3Jz -IExURDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MDkwMjA4NTYzNloXDTI5MDgz -MDA4NTYzNlowTzELMAkGA1UEBhMCREUxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEV -MBMGA1UECgwMZVNhaWxvcnMgTFREMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrznLzCWlKJO4fXD/E8hx4cXUqbd9U -VwpcAzWq3xGjC6gettYSp171elDXj23ddDJ1wwOl2U0bjN/DceRCl4Tnb3O86fzt -Bwj8xA/stYGvZQqOvEhSfFh85qvDf1niu2uW1Zx4kMemUvNdhpXsqa9RPSu0Mb0G -ZeHnCQkuz3KTjUMhQqwomg/6BY4G7tDmCZYsZezGSgAgoa+Q4vffW+H8S9nuKi8o -EXUf9NuJHUTjtdgcVcCihPj54jXAQsqS9JzWSWxDnKxTaOZuRWEkG+vqGoKEL5+q -PeH8x8aAM7wErsdxTqTV4XCJU0nS9om1Z6sz0Lrva/loyKciulTO8jYWqZIuBL8J -GVeizcoYl9KcW8I66XkeuYWlNWCsWhGii7zEWVcXDdSuLCv1wLagRE9MJHoT64nd -KAR2UQml/MSPlz8419K4r87hcVmNU6FFBP2RZO7UGW5eHbbKT+whhDdBTaig2NNL -Ml7pVFq6ciemNr6IVsTuzS0VPJpuOoZa86+6UPqgw49jg4cBlKxgJxanDy2a2Hbm -zx2dPAkbz3kMKDeBmgFzk3xt10czPXvIXUSnJdhi8NdQUCBHdu9yjT3s7Cc12NCQ -3H0NPWUklHlqJrPY9IbGnNrmJblwZ7hyrI3eISV9njQf3etL2QdDXksLJpgeQsv7 -vcXEBje+aluNqQIDAQABo1AwTjAdBgNVHQ4EFgQUyBLOw8nyo6W4BJWI9L24TTta -RbcwHwYDVR0jBBgwFoAUyBLOw8nyo6W4BJWI9L24TTtaRbcwDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQsFAAOCAgEAkYdRTaZuVAcxY1MI7V8PVnvTDxJ1izAWsr2W -aQMSX0UxAZ/Aed+Q056Ya50/x5ffSigHY5Dap4eP36i/4+dhIeoaMpRjlz/sWCb5 -fE6judBvrMlMwrnKpi/eN0QC1KiCptPbPVPyonRj1ydrvQTPPDxLSeqgzCn3q5kf -Gb6VlPDhj/CmIoVXkA9gYNlCwSpZ49DJJ2gTmI+MXolXnlZCvXuR+VsgTsjn96vH -j0AczAZ+g7gD8XTl/K9Z/gcs06DcmMonYrgOGuaFDDiEuBwgABo8gajCFg4xwxi2 -bw7B+opMrOXH9ZGhaoF2eySDGXXgw7TLRqkGXDghZNzWajnGuN7vSaiQfnr0EmW+ -020gJDDUZyc9Ky165SQe3Bfin1cLc2W6mZYmV9lDtUYw80Gth52L9uOiEBIbV6mI -ZBZFyslxQ7IYWOxseoU9xrxzscTtxa+MGs47w6Hzxh38zYPe/I0Yt62yMRtUmJJ7 -ebQZti7qLeW+QOZAruUzei7fpOZOrq8vy4GBUm0pkg8eOVdDaCAQAWMwaGaHH9/5 -q+AvDLjvR6zvJdV2dxA3XsVmcIA45zOA2mZkRrcTWyf5DZ7bDcQvSnd7R4anv3hG -YJXeKyzcI7SWfMxo0hU6p9fv66xYn6x9d5oA/ZU/5XRn1bFL7kuKj7BmB+LcS0BE -XipqaCA= ------END CERTIFICATE----- diff --git a/roles/docker-registry-proxy/files/key.pem b/roles/docker-registry-proxy/files/key.pem deleted file mode 100644 index 5d88119..0000000 --- a/roles/docker-registry-proxy/files/key.pem +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCrznLzCWlKJO4f -XD/E8hx4cXUqbd9UVwpcAzWq3xGjC6gettYSp171elDXj23ddDJ1wwOl2U0bjN/D -ceRCl4Tnb3O86fztBwj8xA/stYGvZQqOvEhSfFh85qvDf1niu2uW1Zx4kMemUvNd -hpXsqa9RPSu0Mb0GZeHnCQkuz3KTjUMhQqwomg/6BY4G7tDmCZYsZezGSgAgoa+Q -4vffW+H8S9nuKi8oEXUf9NuJHUTjtdgcVcCihPj54jXAQsqS9JzWSWxDnKxTaOZu -RWEkG+vqGoKEL5+qPeH8x8aAM7wErsdxTqTV4XCJU0nS9om1Z6sz0Lrva/loyKci -ulTO8jYWqZIuBL8JGVeizcoYl9KcW8I66XkeuYWlNWCsWhGii7zEWVcXDdSuLCv1 -wLagRE9MJHoT64ndKAR2UQml/MSPlz8419K4r87hcVmNU6FFBP2RZO7UGW5eHbbK -T+whhDdBTaig2NNLMl7pVFq6ciemNr6IVsTuzS0VPJpuOoZa86+6UPqgw49jg4cB -lKxgJxanDy2a2Hbmzx2dPAkbz3kMKDeBmgFzk3xt10czPXvIXUSnJdhi8NdQUCBH -du9yjT3s7Cc12NCQ3H0NPWUklHlqJrPY9IbGnNrmJblwZ7hyrI3eISV9njQf3etL -2QdDXksLJpgeQsv7vcXEBje+aluNqQIDAQABAoICAQCjIxe3expFUyfhE2FiC1vJ -akKNFWNY3IVztYCCTeqbXXg4IfjIIbFjes/Ev+bcv3cipxiRpPM4092t4jmSmfmT -IRtPKQgHsgRwr2NHq1oHR/RscJBj8rq7bvVuX0DksH6K7S70tNU/M8ju59r4rG9S -vrj/E7OfnaKSFNxpXIY5YYt6y6pZq2C8UgX4w1AM/tFgOzBHYQEZ+y2QcFRZ/Q9q -2EOJiPjaHSmQPJsxaV9+sa8RyMNwDr+z136en01nmWpLd9CbqutfEF6uGqcQ+Ipc -8us3xVjg+H3b3363QWipMaUkDD8s8DJB05pn/b3pSRUh0HOQ4IAlZVJ/AVuCXi/I -amEVq5hClLL16OhyM4u/50BxSn673jNCi3uRPxcJlnR0cFy8u6XEs8rbU1ezxlz3 -SJBpTfXyvvWhNdvEQzNy+AOf8XQLzKgcnoLYYx9nhFUBv3pSU+7hW11RKmjHSu9v -0NNcUGq+Ig3QTB/4CTM1YJ/usL9kVdJY+tK1wVKHiIm0O58fcyrfN05kUpqJ5NMg -4ByeXkm8JR8A9jiNmJy/bBuFEIXTsxalsQjonGw4WHcRZCke0eqMSOgzp50CNad2 -NIRqNWD0EInTatXtjTQ+zbCkDoUdgW4NhCnmf4OxVLEpKIYFw/y1271mVZp9zbYU -aAfaTXi/mZ+hAspQlTOPAQKCAQEA3BhyO90ACUtKbbBPwUVgEHxtsKZ1lyIgyGMQ -D8PDh+ixdvRYD4m4rewTzY346kaEPcWzjKUp2sU0G1/moBQWLBb9gKyBll8LKSNG -yA5MAMENyI9rIFpzOoJkkTrnu8iwIPXjVgAShrRqBa+eKAa5XEOR6x+L5UhIEZIQ -mfCqyPAKKieODiykqqmDURCadRC3LrIbjDSdnX6VEMS7Sun6pNRz7s1u5CYnLQGZ -QhZeRMkcdmYuAThfwWpX/GdtIxqM08jWX9RFKpMiSisKX8YsXv0W0IbesuDj/bkc -4BQou03sEUJxC6P8O+jiKtOkygwTdqmjIpDRf1EHiPGibv+f+QKCAQEAx9VfJ/5e -zmLWwEEqSxpwWpMQdB5ir68VjnnvFNDVms/XVHr/EV7TuI092cXJdntqqynCZGBA -IP1Wv2eSqGibIyOXdbTXv1qWmSxZdeECIj11vtRQ5etK977/F0llNYav6WAn3pDp -0IRzofaD6SEFhTJKoGiv86gFcqm2tO4lrTU1B30KnqKfYER6mUdBwto///Rwrpoy -B5+EWbrjJmKOqKuXP+M/YnlQXeBtyVHlQlaog2sea9OSCJEbTrmkZqJ1ZXmBH8T+ -D91QOF+5rxPVKLG5Ybnfen7Fu3dHAotD8WM77iQR+EDmffvrxS+ddZUXzINS9jml -kKkaG9zOvEcnMQKCAQEAyIo1u7nYSJ+jh2I4qT9PEnZtc6GYT0a3XB53CgYzaOhq -mpp0imPQNBiAyrBrdvsdjzNOL/5lroI0wiSVfJIQyceA3/dOc/bRsoAEBFCSi7Vb -m7yhvW7swwkAHRvw/bcUVFP2+etC9h345Ilpr8rApgKjN/sceqNrlybhnYId+sxM -VrCHzP58Y0vk7L4WHkhGwHNkilF+s3wc0pSOmumqiPlTUOk5+wOQen+UZxT+e+pK -1s6vaEk3ZoJA/Sg31t5gJrA+ND6zbuF1QuMIps9oqnwsh3/79jzXP92lI776hf+v -8uH5IsQeFXBScvc4lSh/q4VRsTMGz9zC4tJYUI718QKB/3qNYM4mMf5gn1NIo6dr -j3v8tRqBiAQ2XAIExZr+eAF5dZVZ2RPOFAoalNP5eJQxHDncYlssrCePNqQr4MVn -Yb0rFrgZMDcqVzGZAURJugVFq/BcRUC8DD3j5I1jda5d64Q0dD8KoFpA4KlzhXJz -ze7h6OJ3UXEcmjq32lUbt/+BogP1q42eLh/b31QhXzMgph9SychKyGPkcEaXVrcz -ukm28gs8UqMRwzfPa4ULtI36l14BU6bNGcInO5gMQcav209gNNBG/4i7MXdhPX8h -qphKZmaIl4WIObu+as4kmoZvVVG2zU5yfujEltNXYDm8Ndw2rapTsDYHfvuXbzII -cQKCAQBW3LAfFAkmu1+NJBXYt86rftOF+VSNWkN1/YkPwIMX1y647aVMGMegr7yF -xUh1DSQQAuD2ACzII1ufoUWRrhdCMsgr3o9b0ApCXQwTaaFsZjGIr33bsnqNHW3e -FJEfTrNW5PLTkkEjJQH0N/6W0TRowjpYSpgRz/fpJjdFLmQ1A+RLVoyHCVq/Qhzj -Ywk6hsYjI432aebdFH8pqWl8Hhcq6DW9jAyKkuVnX/p60OZ6tp6cZ75nIj7bdB7W -zcrUs4/igRY8HUwZlQJK5X2D+LWuN1Ag8DBbbjOmqziKDBikV/GmOcuCRgltckrT -UFg2hiaXvnBuMgGHodqIzeQarqKv ------END PRIVATE KEY----- diff --git a/roles/docker-registry-proxy/tasks/main.yaml b/roles/docker-registry-proxy/tasks/main.yaml deleted file mode 100644 index cd2bc96..0000000 --- a/roles/docker-registry-proxy/tasks/main.yaml +++ /dev/null @@ -1,65 +0,0 @@ -- name: Create cache directory - become: true - file: path={{ docker_proxy_cache_path }} state=directory mode=0755 recurse=true - -- name: Copy the ssl certificates - become: true - copy: - src: "{{ item }}" - dest: "{{ docker_proxy_ssl_host_path }}/{{ item }}" - with_items: - - certificate.pem - - key.pem - when: - - docker_proxy_ssl_enabled | bool - - docker_proxy_ssl_copy_certs | bool - -- name: Print current cache directory size information - become: true - command: du -hs {{ docker_proxy_cache_path }} - -- name: Pull proxy container - become: true - command: > - docker pull esailors/aws-ecr-http-proxy:{{ docker_proxy_version }} - tags: - - pull-image - -- name: Remove previous proxy container - become: true - command: docker rm -fv docker-registry-proxy - ignore_errors: true - -- name: Clear local cache - become: true - command: rm -rf {{ docker_proxy_cache_path }} - when: docker_proxy_clear_cache|bool - -- name: Run new docker registry proxy container - become: true - command: > - docker run -d - --name docker-registry-proxy - --net host - --restart=unless-stopped - - -v {{ docker_proxy_cache_path }}:/cache - - {% if docker_proxy_ssl_enabled | bool %} - -v {{ docker_proxy_ssl_host_path }}/{{ docker_proxy_ssl_host_cert_name }}:{{ docker_proxy_ssl_container_path }}/certificate.pem - -v {{ docker_proxy_ssl_host_path }}/{{ docker_proxy_ssl_host_key_name }}:{{ docker_proxy_ssl_container_path }}/key.pem - - -e ENABLE_SSL=true - -e REGISTRY_HTTP_TLS_KEY={{ docker_proxy_ssl_container_path }}/key.pem - -e REGISTRY_HTTP_TLS_CERTIFICATE={{ docker_proxy_ssl_container_path }}/certificate.pem - {% endif %} - - -e RESOLVER={{ docker_proxy_backend_resolver }} - -e PORT=5000 - -e UPSTREAM={{ docker_proxy_backend_schema }}://{{ docker_proxy_backend }} - -e CACHE_MAX_SIZE={{ docker_proxy_cache_limit }} - -e AWS_ACCESS_KEY_ID={{ docker_proxy_ecr_access_id }} - -e AWS_SECRET_ACCESS_KEY={{ docker_proxy_ecr_secret_key }} - -e AWS_REGION={{ docker_proxy_ecr_region }} - - esailors/aws-ecr-http-proxy:{{ docker_proxy_version }} diff --git a/files/renew_token.sh b/scripts/renew_token.sh similarity index 77% rename from files/renew_token.sh rename to scripts/renew_token.sh index 8de0a33..09cfc9b 100755 --- a/files/renew_token.sh +++ b/scripts/renew_token.sh @@ -1,6 +1,10 @@ #!/bin/sh -set -xe +set -e +set +x + +echo 'Using identity:' +aws sts get-caller-identity # update the auth token CONFIG=/usr/local/openresty/nginx/conf/nginx.conf @@ -14,9 +18,10 @@ while true; do sleep 30 done - AUTH_N=$(echo AWS:${TOKEN} | base64 |tr -d "[:space:]") - sed -i "s|${AUTH%??}|${AUTH_N}|g" $CONFIG -nginx -s reload +if [ "$1" == "reload" ]; then + echo "Reloading nginx" + nginx -s reload +fi \ No newline at end of file diff --git a/scripts/startup.sh b/scripts/startup.sh new file mode 100755 index 0000000..1236a6f --- /dev/null +++ b/scripts/startup.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +set -e +set +x + +if [ -z "$ECR" ] ; then + echo "ECR not set." + exit 1 +fi + +if [ -z "$PORT" ] ; then + echo "PORT not set." + exit 1 +fi + +if [ -z "$RESOLVER" ] ; then + echo "RESOLVER not set." + exit 1 +fi + +if [ -z "$AWS_REGION" ] ; then + echo "AWS_REGION not set." + exit 1 +fi + +ECR_WITHOUT_PORT=$( echo ${ECR} | sed -r "s/.*:\/\/(.*):.*/\1/g") +echo Using resolver $RESOLVER and $ECR [$(dig +short ${ECR_WITHOUT_PORT})] as upstream. + +CACHE_MAX_SIZE=${CACHE_MAX_SIZE:-75g} +echo Using cache max size $CACHE_MAX_SIZE + +CACHE_KEY=${CACHE_KEY:='$uri'} +echo Using cache key $CACHE_KEY + +SCHEME=http +CONFIG=/usr/local/openresty/nginx/conf/nginx.conf +SSL_CONFIG=/usr/local/openresty/nginx/conf/ssl.conf + +if [ "$ENABLE_SSL" ] && [ "$ENABLE_SSL" == "true" ]; then + sed -i -e s!__SSL_KEY__!"$SSL_KEY"!g $SSL_CONFIG + sed -i -e s!__SSL_CERTIFICATE__!"$SSL_CERT"!g $SSL_CONFIG + SSL_LISTEN="ssl" + SSL_INCLUDE="include $SSL_CONFIG;" + SCHEME="https" +fi + +# Update nginx config +sed -i -e s!__ECR__!"$ECR"!g $CONFIG +sed -i -e s!__PORT__!"$PORT"!g $CONFIG +sed -i -e s!__RESOLVER__!"$RESOLVER"!g $CONFIG +sed -i -e s!__CACHE_MAX_SIZE__!"$CACHE_MAX_SIZE"!g $CONFIG +sed -i -e s!__CACHE_KEY__!"$CACHE_KEY"!g $CONFIG +sed -i -e s!__SCHEME__!"$SCHEME"!g $CONFIG +sed -i -e s!__SSL_INCLUDE__!"$SSL_INCLUDE"!g $CONFIG +sed -i -e s!__SSL_LISTEN__!"$SSL_LISTEN"!g $CONFIG + + +ECR_REGION=$(echo $ECR | sed -r "s/.*:\/\/.*\.(.*)\.amazonaws\.com/\1/g") + +if [ -z "$AWS_DEFAULT_REGION" ]; then + export AWS_DEFAULT_REGION=$ECR_REGION + echo "AWS_DEFAULT_REGION was not set. Setting it to $ECR_REGION from ECR endpoint" +fi + +env |grep AWS > /etc/environment + +# get token for the first time +/renew_token.sh + +chown -R nginx:nginx /cache + +RENEW_INTERVAL_HOURS=${RENEW_INTERVAL_HOURS:-6} + +echo "0 */$RENEW_INTERVAL_HOURS * * * /renew_token.sh reload" > /etc/crontab/root + +exec "$@" diff --git a/syntax-check.sh b/syntax-check.sh deleted file mode 100755 index 5daa601..0000000 --- a/syntax-check.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -set -e - -echo "Performing syntax check on ansible playbooks" - -ansible-playbook -i hosts --syntax-check playbook-docker-registry-proxy.yaml From 4c89b143cb00ee20b87e3c0443c9ddf1f2c668a5 Mon Sep 17 00:00:00 2001 From: Krzysztof Warunek Date: Fri, 20 Sep 2024 12:51:46 +0200 Subject: [PATCH 2/5] do not require AWS_REGION --- scripts/startup.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scripts/startup.sh b/scripts/startup.sh index 1236a6f..8af79ef 100755 --- a/scripts/startup.sh +++ b/scripts/startup.sh @@ -18,11 +18,6 @@ if [ -z "$RESOLVER" ] ; then exit 1 fi -if [ -z "$AWS_REGION" ] ; then - echo "AWS_REGION not set." - exit 1 -fi - ECR_WITHOUT_PORT=$( echo ${ECR} | sed -r "s/.*:\/\/(.*):.*/\1/g") echo Using resolver $RESOLVER and $ECR [$(dig +short ${ECR_WITHOUT_PORT})] as upstream. From c6531612e3b4dc98444499748957eb3897622d75 Mon Sep 17 00:00:00 2001 From: Krzysztof Warunek Date: Fri, 20 Sep 2024 13:06:32 +0200 Subject: [PATCH 3/5] fix ssl var name --- scripts/startup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/startup.sh b/scripts/startup.sh index 8af79ef..a85df78 100755 --- a/scripts/startup.sh +++ b/scripts/startup.sh @@ -33,7 +33,7 @@ SSL_CONFIG=/usr/local/openresty/nginx/conf/ssl.conf if [ "$ENABLE_SSL" ] && [ "$ENABLE_SSL" == "true" ]; then sed -i -e s!__SSL_KEY__!"$SSL_KEY"!g $SSL_CONFIG - sed -i -e s!__SSL_CERTIFICATE__!"$SSL_CERT"!g $SSL_CONFIG + sed -i -e s!__SSL_CERTIFICATE__!"$SSL_CERTIFICATE"!g $SSL_CONFIG SSL_LISTEN="ssl" SSL_INCLUDE="include $SSL_CONFIG;" SCHEME="https" From b8137c2e8713360d4239e244a861cb385df3cb11 Mon Sep 17 00:00:00 2001 From: Krzysztof Warunek Date: Fri, 20 Sep 2024 13:55:31 +0200 Subject: [PATCH 4/5] example k8s deployment --- deployment/aws-credentials.yaml | 10 +++++ deployment/certs.yaml | 9 +++++ deployment/deployment.yaml | 66 +++++++++++++++++++++++++++++++++ deployment/service.yaml | 15 ++++++++ 4 files changed, 100 insertions(+) create mode 100644 deployment/aws-credentials.yaml create mode 100644 deployment/certs.yaml create mode 100644 deployment/deployment.yaml create mode 100644 deployment/service.yaml diff --git a/deployment/aws-credentials.yaml b/deployment/aws-credentials.yaml new file mode 100644 index 0000000..1b4dbc7 --- /dev/null +++ b/deployment/aws-credentials.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: aws-ecr-http-proxy-aws-credentials + namespace: kube-system +type: Opaque +data: + aws_access_key_id: __base64_encoded_access_key_id__ + aws_secret_access_key: __base64_encoded_secret_access_key__ + diff --git a/deployment/certs.yaml b/deployment/certs.yaml new file mode 100644 index 0000000..bb9d3a2 --- /dev/null +++ b/deployment/certs.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: aws-ecr-http-proxy-ssl-certs + namespace: kube-system +type: Opaque +data: + ssl.cert: __base64_encoded_cert__ + ssl.key: __base64_encoded_key__ diff --git a/deployment/deployment.yaml b/deployment/deployment.yaml new file mode 100644 index 0000000..bc278a2 --- /dev/null +++ b/deployment/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aws-ecr-http-proxy + namespace: kube-system + labels: + app: aws-ecr-http-proxy +spec: + replicas: 1 + selector: + matchLabels: + app: aws-ecr-http-proxy + template: + metadata: + labels: + app: aws-ecr-http-proxy + spec: + containers: + - name: aws-ecr-http-proxy + image: kwarunek/aws-ecr-http-proxy:2.0.1 + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "250m" + memory: "256Mi" + ports: + - containerPort: 5000 + env: + - name: PORT + value: "5000" + - name: RESOLVER + value: "8.8.8.8" + - name: ECR + value: "https://_____ACCOUNT_ID______.dkr.ecr.eu-central-1.amazonaws.com" + - name: CACHE_MAX_SIZE + value: "75g" + - name: ENABLE_SSL + value: "true" + - name: SSL_KEY + value: "/opt/ssl/ssl.key" + - name: SSL_CERTIFICATE + value: "/opt/ssl/ssl.cert" + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-ecr-http-proxy-aws-credentials + key: AWS_ACCESS_KEY_ID + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-ecr-http-proxy-aws-credentials + key: AWS_SECRET_ACCESS_KEY + volumeMounts: + - name: ssl-certs + mountPath: /opt/ssl + readOnly: true + - name: cache-volume + mountPath: /cache + volumes: + - name: cache-volume + emptyDir: {} + - name: ssl-certs + secret: + secretName: aws-ecr-http-proxy-ssl-certs diff --git a/deployment/service.yaml b/deployment/service.yaml new file mode 100644 index 0000000..8acda98 --- /dev/null +++ b/deployment/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: aws-ecr-http-proxy + namespace: kube-system + labels: + app: aws-ecr-http-proxy +spec: + type: ClusterIP + ports: + - port: 5000 + targetPort: 5000 + protocol: TCP + selector: + app: aws-ecr-http-proxy From d72684671a56ff5800b55ba82cfda5cafb34edde Mon Sep 17 00:00:00 2001 From: Krzysztof Warunek Date: Mon, 30 Sep 2024 15:05:57 +0200 Subject: [PATCH 5/5] crontab --- CHANGELOG.md | 9 +++++++-- scripts/renew_token.sh | 4 +++- scripts/startup.sh | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c18aed8..7e1f9f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [2.0.0] - 2024-07-24 +## [2.0.2] - 2024-09-30 +### Changed +- Explicit env source +- Crontab conf path changed + +## [2.0.0] - 2024-08-24 ### Added - Support for AWS WebIdentity Token @@ -18,4 +23,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Upgraded to OpenResty 1.21.4.1 - Upgraded AWS CLI to 1.34.21 - Environment variables names simplified -- Cleaned up the repository structure \ No newline at end of file +- Cleaned up the repository structure diff --git a/scripts/renew_token.sh b/scripts/renew_token.sh index 09cfc9b..572fe5e 100755 --- a/scripts/renew_token.sh +++ b/scripts/renew_token.sh @@ -3,6 +3,8 @@ set -e set +x +source /etc/environment + echo 'Using identity:' aws sts get-caller-identity @@ -24,4 +26,4 @@ sed -i "s|${AUTH%??}|${AUTH_N}|g" $CONFIG if [ "$1" == "reload" ]; then echo "Reloading nginx" nginx -s reload -fi \ No newline at end of file +fi diff --git a/scripts/startup.sh b/scripts/startup.sh index a85df78..25d729c 100755 --- a/scripts/startup.sh +++ b/scripts/startup.sh @@ -66,6 +66,6 @@ chown -R nginx:nginx /cache RENEW_INTERVAL_HOURS=${RENEW_INTERVAL_HOURS:-6} -echo "0 */$RENEW_INTERVAL_HOURS * * * /renew_token.sh reload" > /etc/crontab/root +echo "0 */$RENEW_INTERVAL_HOURS * * * /renew_token.sh reload" > /etc/crontabs/root exec "$@"