Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up

AWS ECR docker registry proxy. Anonymous proxy for AWS ECR

License

NotificationsYou must be signed in to change notification settings

catalinpan/aws-ecr-proxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Based on official nginx alpine.

Docker image repository

The container will renew the aws token every 6 hours.

Variables:

AWS_KEYAWS_SECRETREGIONRENEW_TOKEN - default 6hREGISTRY_ID - optional, used for cross account access

Health check

To check the health of the container/registry useFQDN/ping which will give you the heath of the registry with the correct status code.

AWS instance with IAM role

For AWS instances if the region is not declared it will be auto discovered from IAM as long as the instance supports that.pull request,commit.

The AWS key and secret can be also configured using a IAM role (without mounting them secrets or specifying them as variables). A sample IAM role config can be found in the examples folder. More details on theAWS official documentation.

The configs will be checked in the following order:

  • secrets - file mounted
  • variables declared at run time
  • IAM role

If none are found the container will not start. Check the logs withdocker logs CONTAINER_ID

Docker run:

Without ssl

This will require either to add insecure registry URL or a load balancer with valid ssl certificates.Checkhttps://docs.docker.com/registry/insecure/ for more details.

docker run -e AWS_SECRET='YOUR_AWS_SECRET' \-e AWS_KEY='YOUR_AWS_KEY' \-e REGION='YOUR_AWS_REGION' \-d catalinpan/aws-ecr-proxy
With your own certificate
docker run -e AWS_SECRET='YOUR_AWS_SECRET' \-e AWS_KEY='YOUR_AWS_KEY' \-e REGION='YOUR_AWS_REGION' \-v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \-v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \-d catalinpan/aws-ecr-proxy
With a valid AWS CLI configuration file

The configuration should look like below example.

cat ~/.aws/config
[default]# region example eu-west-1region = REGION     aws_access_key_id = YOUR_AWS_KEYaws_secret_access_key = YOUR_AWS_SECRET
docker run -v ~/.aws:/root/.aws:ro-v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \-v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \-d catalinpan/aws-ecr-proxy
IAM role configured

with region and credentials from IAM role

docker run -d catalinpan/aws-ecr-proxy

with region as environment variable and credentials from IAM role

docker run -e REGION='YOUR_AWS_REGION' -d catalinpan/aws-ecr-proxy

SSL

The certificates included are just to get nginx started. Generate your own certificate, get valid ssl certificates or use the container behind a load balancer with valid SSL certificates.

Self signed certificates

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout default.key -out default.crt

Kubernetes example

Kubernetes examples contain also a health check.The configs can be changed to get aws_config and ssl certificates as secrets.

Deployment and service

The configuration provided will require valid ssl certificates or to be behind a load balancer with valid ssl.

DaemonSet

The daemonSet will be available on all the nodes. Deployments can use127.0.0.1:5000/container_name:tag instead ofFQDN/container_name:tag

About

AWS ECR docker registry proxy. Anonymous proxy for AWS ECR

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published
[8]ページ先頭
©2009-2025 Movatter.jp