Simple ECR proxy which manages AWS ECR authentication and handles the Link headers. The container also has endpoints for Kubernetes liveness and readiness probes.
Example usage:
docker run -e AWS_REGION=eu-west-1 \
-e AWS_SECRET_ACCESS_KEY=blah \
-e AWS_ACCESS_KEY_ID=blah \
--name registry --rm -i \
-p 8080:8080 terrycain/aws_ecr_proxy:latest
AWS_REGION
- Confiures the AWS SDK's region. This will determine which regions ECR images are availableAWS_ACCESS_KEY_ID
- AWS Access KeyAWS_SECRET_ACCESS_KEY
- AWS Secret KeyASSUME_ROLE
- When non-empty the tool assumes the provided role. AWS ARN is expected, i.e. "arn:aws:iam::ACC:role/somerole".LOG_LEVEL
- DefaultINFO
- Sets the logging level, one of:DEBUG
,INFO
,WARN
,ERROR
LISTEN_PORT
- Default8080
LISTEN_HOST
- Default0.0.0.0
DISABLE_PROXY_HEADERS
- Defaultfalse
- If set totrue
then the proxy will ignoreX-Forwarded-*
andX-Real-IP
headers. The only time you would want to set this is if the proxy is not sad behind a reverse proxy.
This proxy uses the standard AWS SDK, so it is entirely possible the AWS specific environment variables can be omitted and the proxy should attempt to authenticate using an appropriate IAM role, but this is untested.
Below is a Kubernetes deployment manifest, including annotations for flux to update the container using the semver matcher and including appropriate lifecycle probes. AWS access keys are passed in using Kubernetes secrets.
TODOMANIFEST
On startup, the proxy will start off a loop to grab an ECR token and continuously renew it roughly every 12 hours (unless amazon change the expiry).
On request, it'll inject an Authorization header containing the ECR token. Before serving ECR's response it will
modify any Link
headers which are used for pagination and contain ECR urls; the header will have its links updated with links referencing the proxy.
The reason I created this was, FluxCD was not playing ball with ECR when ran outside of AWS, and the standard NGINX ECR proxies don't handle Link
headers which Docker
registries use for pagination, which results in Flux complaining about the registry requiring authentication. Until the pagination kicked in the standard proxy https://github.com/catalinpan/aws-ecr-proxy
worked fine.
- add support to listen with TLS
- request logging