├── Dockerfile ├── LICENSE ├── README.md ├── configs ├── auth_update.sh ├── entrypoint.sh ├── nginx │ ├── nginx.conf │ └── ssl │ │ ├── default.crt │ │ └── default.key └── renew_token.sh └── examples ├── aws-instance-role-policy.json └── kubernetes ├── daemonset.yaml ├── deployment.yaml └── service.yaml /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:1.12.0-alpine 2 | 3 | RUN apk -v --update add \ 4 | python \ 5 | py-pip \ 6 | && \ 7 | pip install --upgrade pip awscli==1.11.92 && \ 8 | apk -v --purge del py-pip && \ 9 | rm /var/cache/apk/* 10 | 11 | ADD configs/nginx/nginx.conf /etc/nginx/nginx.conf 12 | ADD configs/nginx/ssl /etc/nginx/ssl 13 | 14 | ADD configs/entrypoint.sh /entrypoint.sh 15 | ADD configs/auth_update.sh /auth_update.sh 16 | ADD configs/renew_token.sh /renew_token.sh 17 | 18 | EXPOSE 80 443 19 | 20 | ENTRYPOINT ["/entrypoint.sh"] 21 | 22 | CMD ["nginx", "-g", "daemon off;"] 23 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 catalinpan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS ECR anonymous proxy 2 | 3 | Based on official nginx alpine. 4 | 5 | [Docker image repository](https://hub.docker.com/r/catalinpan/aws-ecr-proxy/) 6 | 7 | The container will renew the aws token every 6 hours. 8 | 9 | Variables: 10 | ``` 11 | AWS_KEY 12 | AWS_SECRET 13 | REGION 14 | RENEW_TOKEN - default 6h 15 | REGISTRY_ID - optional, used for cross account access 16 | ``` 17 | 18 | ### Health check 19 | 20 | To check the health of the container/registry use ```FQDN/ping``` which will give you the heath of the registry with the correct status code. 21 | 22 | ### AWS instance with IAM role 23 | 24 | For AWS instances if the region is not declared it will be auto discovered from IAM as long as the instance supports that. [pull request](https://github.com/catalinpan/aws-ecr-proxy/pull/1/commits/899ef1a80a7fa141f66e500a76f6ed86f8d19f4e), [commit](https://github.com/catalinpan/aws-ecr-proxy/commit/d8a709bf043cfd14b88defae738833e93c946f4b). 25 | 26 | The AWS key and secret can be also configured using a IAM role (without mounting them secrets or specifying them as variables). A sample IAM role config can be found in the examples folder. More details on the [AWS official documentation](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html). 27 | 28 | The configs will be checked in the following order: 29 | 30 | - secrets - file mounted 31 | - variables declared at run time 32 | - IAM role 33 | 34 | If none are found the container will not start. Check the logs with ```docker logs CONTAINER_ID``` 35 | 36 | ## Docker run: 37 | ##### Without ssl 38 | This will require either to add insecure registry URL or a load balancer with valid ssl certificates. 39 | Check https://docs.docker.com/registry/insecure/ for more details. 40 | ``` 41 | docker run -e AWS_SECRET='YOUR_AWS_SECRET' \ 42 | -e AWS_KEY='YOUR_AWS_KEY' \ 43 | -e REGION='YOUR_AWS_REGION' \ 44 | -d catalinpan/aws-ecr-proxy 45 | ``` 46 | ##### With your own certificate 47 | ``` 48 | docker run -e AWS_SECRET='YOUR_AWS_SECRET' \ 49 | -e AWS_KEY='YOUR_AWS_KEY' \ 50 | -e REGION='YOUR_AWS_REGION' \ 51 | -v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \ 52 | -v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \ 53 | -d catalinpan/aws-ecr-proxy 54 | ``` 55 | ##### With a valid AWS CLI configuration file 56 | The configuration should look like below example. 57 | ``` 58 | cat ~/.aws/config 59 | ``` 60 | ``` 61 | [default] 62 | # region example eu-west-1 63 | region = REGION 64 | aws_access_key_id = YOUR_AWS_KEY 65 | aws_secret_access_key = YOUR_AWS_SECRET 66 | ``` 67 | ``` 68 | docker run -v ~/.aws:/root/.aws:ro 69 | -v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \ 70 | -v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \ 71 | -d catalinpan/aws-ecr-proxy 72 | ``` 73 | ##### IAM role configured 74 | with region and credentials from IAM role 75 | ``` 76 | docker run -d catalinpan/aws-ecr-proxy 77 | ``` 78 | with region as environment variable and credentials from IAM role 79 | ``` 80 | docker run -e REGION='YOUR_AWS_REGION' -d catalinpan/aws-ecr-proxy 81 | ``` 82 | 83 | ## SSL 84 | The certificates included are just to get nginx started. Generate your own certificate, get valid ssl certificates or use the container behind a load balancer with valid SSL certificates. 85 | 86 | #### Self signed certificates 87 | ``` 88 | openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout default.key -out default.crt 89 | ``` 90 | 91 | ## Kubernetes example 92 | 93 | Kubernetes examples contain also a health check. 94 | The configs can be changed to get aws_config and ssl certificates as secrets. 95 | 96 | #### Deployment and service 97 | The configuration provided will require valid ssl certificates or to be behind a load balancer with valid ssl. 98 | 99 | #### DaemonSet 100 | The daemonSet will be available on all the nodes. Deployments can use ```127.0.0.1:5000/container_name:tag``` instead of ```FQDN/container_name:tag``` 101 | -------------------------------------------------------------------------------- /configs/auth_update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | nx_conf=/etc/nginx/nginx.conf 4 | 5 | # update the auth token 6 | auth=$(grep X-Forwarded-User ${nx_conf} | awk '{print $4}'| uniq|tr -d "\n\r") 7 | if [ "$REGISTRY_ID" = "" ] 8 | then 9 | token=$(aws ecr get-login --no-include-email | awk '{print $6}') 10 | else 11 | token=$(aws ecr get-login --no-include-email --registry-ids $REGISTRY_ID | awk '{print $6}') 12 | fi 13 | auth_n=$(echo AWS:${token} | base64 |tr -d "[:space:]") 14 | 15 | sed -i "s|${auth%??}|${auth_n}|g" ${nx_conf} 16 | -------------------------------------------------------------------------------- /configs/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | nx_conf=/etc/nginx/nginx.conf 4 | 5 | AWS_IAM='http://169.254.169.254/latest/dynamic/instance-identity/document' 6 | AWS_FOLDER='/root/.aws' 7 | 8 | header_config() { 9 | mkdir -p ${AWS_FOLDER} 10 | echo "[default]" > /root/.aws/config 11 | } 12 | region_config() { 13 | echo "region = $@" >> /root/.aws/config 14 | } 15 | 16 | test_iam() { 17 | wget -q -O- ${AWS_IAM} | grep -q 'region' 18 | } 19 | 20 | test_config() { 21 | grep -qrni $@ ${AWS_FOLDER} 22 | } 23 | 24 | fix_perm() { 25 | chmod 600 -R ${AWS_FOLDER} 26 | } 27 | 28 | # test if region is mounted as secret 29 | if test_config region 30 | then 31 | echo "region found in ~/.aws mounted as secret" 32 | # configure regions if variable specified at run time 33 | elif [[ "$REGION" != "" ]] 34 | then 35 | header_config 36 | region_config $REGION 37 | fix_perm 38 | # check if the region can be pulled from AWS IAM 39 | elif test_iam 40 | then 41 | echo "region detected from iam" 42 | REGION=$(wget -q -O- ${AWS_IAM} | grep 'region' |cut -d'"' -f4) 43 | header_config 44 | region_config $REGION 45 | fix_perm 46 | else 47 | echo "No region detected" 48 | exit 1 49 | fi 50 | 51 | # test if key and secret are mounted as secret 52 | if test_config aws_access_key_id 53 | then 54 | echo "aws key and secret found in ~/.aws mounted as secrets" 55 | # if both key and secret are declared 56 | elif [[ "$AWS_KEY" != "" && "$AWS_SECRET" != "" ]] 57 | then 58 | echo "aws_access_key_id = $AWS_KEY 59 | aws_secret_access_key = $AWS_SECRET" >> ${AWS_FOLDER}/config 60 | fix_perm 61 | # if the key and secret are not mounted as secrets 62 | else 63 | echo "key and secret not available in ~/.aws/" 64 | if aws ecr get-authorization-token | grep expiresAt 65 | then 66 | echo "iam role configured to allow ecr access" 67 | else 68 | echo "key and secret not mounted as secret, declared as variables or available from iam role" 69 | exit 1 70 | fi 71 | fi 72 | 73 | # update the auth token 74 | if [ "$REGISTRY_ID" = "" ] 75 | then 76 | aws_cli_exec=$(aws ecr get-login --no-include-email) 77 | else 78 | aws_cli_exec=$(aws ecr get-login --no-include-email --registry-ids $REGISTRY_ID) 79 | fi 80 | auth=$(grep X-Forwarded-User ${nx_conf} | awk '{print $4}'| uniq|tr -d "\n\r") 81 | token=$(echo "${aws_cli_exec}" | awk '{print $6}') 82 | auth_n=$(echo AWS:${token} | base64 |tr -d "[:space:]") 83 | reg_url=$(echo "${aws_cli_exec}" | awk '{print $7}') 84 | 85 | sed -i "s|${auth%??}|${auth_n}|g" ${nx_conf} 86 | sed -i "s|REGISTRY_URL|$reg_url|g" ${nx_conf} 87 | 88 | /renew_token.sh & 89 | 90 | exec "$@" 91 | -------------------------------------------------------------------------------- /configs/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | events { 2 | worker_connections 4096; 3 | } 4 | 5 | http { 6 | resolver 8.8.8.8 8.8.4.4; 7 | 8 | server { 9 | 10 | listen 80 default_server; 11 | server_name _; 12 | 13 | location / { 14 | set $upstream REGISTRY_URL; 15 | 16 | proxy_pass $upstream; 17 | proxy_redirect $upstream https://$host; 18 | 19 | proxy_set_header X-Real-IP $remote_addr; 20 | proxy_set_header X-Forwarded-For $remote_addr; 21 | proxy_set_header X-Forwarded-User "Basic $http_authorization"; 22 | proxy_set_header Authorization "Basic $http_authorization"; 23 | 24 | proxy_pass_header Server; 25 | 26 | client_max_body_size 0; 27 | proxy_connect_timeout 300s; 28 | proxy_read_timeout 300s; 29 | proxy_send_timeout 300s; 30 | send_timeout 300s; 31 | } 32 | } 33 | 34 | server { 35 | listen 443 default_server; 36 | server_name _; 37 | ssl on; 38 | ssl_certificate /etc/nginx/ssl/default.crt; 39 | ssl_certificate_key /etc/nginx/ssl/default.key; 40 | 41 | location / { 42 | set $upstream REGISTRY_URL; 43 | 44 | proxy_pass $upstream; 45 | proxy_redirect $upstream https://$host; 46 | 47 | proxy_set_header X-Real-IP $remote_addr; 48 | proxy_set_header X-Forwarded-For $remote_addr; 49 | proxy_set_header X-Forwarded-User "Basic $http_authorization"; 50 | proxy_set_header Authorization "Basic $http_authorization"; 51 | 52 | proxy_pass_header Server; 53 | 54 | client_max_body_size 0; 55 | proxy_connect_timeout 300s; 56 | proxy_read_timeout 300s; 57 | proxy_send_timeout 300s; 58 | send_timeout 300s; 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /configs/nginx/ssl/default.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDcTCCAlmgAwIBAgIJANVZ9OIySGfHMA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV 3 | BAYTAkdCMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg 4 | Q29tcGFueSBMdGQxCjAIBgNVBAMMASowIBcNMTcwMTIxMTUwMjA0WhgPMjExNjEy 5 | MjgxNTAyMDRaME4xCzAJBgNVBAYTAkdCMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkx 6 | HDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxCjAIBgNVBAMMASowggEiMA0G 7 | CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb/+bC6EvJ7K18Nj8RrTIVI0v3w13+ 8 | kCozSgDirWQrzLzKp84x87tF2UalJ4NuVOQyCEPV4rJKXTxIsguD6tpunIs4+gMw 9 | O3ITW0QxY7JPLNLOMTs4YhIT4YnoPHxIyqncTqiElQcWjja4FbQtujhVQsV1EinD 10 | 7WMHC85FUlusH+wG6LyVE7dej0aEc45Z8fTHatOwW85/waFJnHzdXv/c8OSefJpo 11 | QRa+l0yp9C0vAv6qt90vqWmWACMsj1rRLLB5CHYACOcBUSGqGUw93nYEGmpFEaj6 12 | 7LtBthchwrEBrdK3bkrLOOC9YB6ws1puD7LpD4k3BPoWAHV5yG0HnminAgMBAAGj 13 | UDBOMB0GA1UdDgQWBBQrIHgzuOSwAqdOmtat7fl68NUh/jAfBgNVHSMEGDAWgBQr 14 | IHgzuOSwAqdOmtat7fl68NUh/jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA 15 | A4IBAQBs3fj3rEWMM6M3Xt4NOYayAYWO7TpoqQLLaBjFOlNMy1oIDVqr4FZzpkrX 16 | lUOjVDn6HZAX9l9b5qVgbDT/iCHpZhjYTsSQ7uyrhXowYRnr0Bnzw8yvhe8bhs+Q 17 | V7oFP6Xq1+MFsSoU1lGRk052w4TYivbq7HXqcb5ZiRW2pNOjG+KFBmhl5U/vS2IS 18 | KBNMNLrLVz+pcEXLVrEeOyqPbNMs2IhhOinHloLtEvf1YepoIzjWF20coUQq4k0V 19 | xeQMfm3uSIYZRKhO3NBAn+8Uh3KvkXgTCN/6qO63eiWCKONZeZqFBX8ILNYBmdry 20 | rQeHHBHDmRhUe4V3dAUbcXLoVi5n 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /configs/nginx/ssl/default.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCb/+bC6EvJ7K18 3 | Nj8RrTIVI0v3w13+kCozSgDirWQrzLzKp84x87tF2UalJ4NuVOQyCEPV4rJKXTxI 4 | sguD6tpunIs4+gMwO3ITW0QxY7JPLNLOMTs4YhIT4YnoPHxIyqncTqiElQcWjja4 5 | FbQtujhVQsV1EinD7WMHC85FUlusH+wG6LyVE7dej0aEc45Z8fTHatOwW85/waFJ 6 | nHzdXv/c8OSefJpoQRa+l0yp9C0vAv6qt90vqWmWACMsj1rRLLB5CHYACOcBUSGq 7 | GUw93nYEGmpFEaj67LtBthchwrEBrdK3bkrLOOC9YB6ws1puD7LpD4k3BPoWAHV5 8 | yG0HnminAgMBAAECggEBAIrYNrEfQ+VS7A3z0iqPdlXt9n1su0oJUiYYJbWbEd8R 9 | +K5+sD0xa2r9uazhAE/A6uHFDWteu8UIOtGQ9kLRUtzEI/3wN8pD/oJP5t/2lgt2 10 | H6I5mzXRw7lCMhYrT4sSJiDZOY/XfFmM9hLd7mIMrnrkVQ6fveCOdmcdENgON114 11 | ICEu4tGf5IDngq/nxzjzWjHxRBlfcHUFX9Z8xriFHFj2rfN6PSl6tk8xv2LBiRgX 12 | LcGllDRwbvTKoRaPbWEFd8WRv7SKxLGwTvv7ZJ7OjdMZTqfmBnmDN3gmAz2JIF16 13 | 2gsHYIndWg7Ag7Zt2lm4RpMv0D+8V0todG6tPeoSAsECgYEAzY61edpF34E1/Bks 14 | 6/YEP6hrSN0Rjy9RQxUNYGqIVYx+eVpts/Xxqe8OXwxpFjO4pR76fOs9kgTDzPkd 15 | 0UxJEJDYQ8SDD4xNgf9lKaJCtKodIWiWd2EX/jDFSnT90Af3nDFeQnq7Bwc6mtbu 16 | B2Utgs4ezTVtzrWIzGdUUgbxwVECgYEAwkftcXopkazTbvREPesRDw9XXMinTwPx 17 | SA9W0JYkmSLVdAH4cbSAxh1mrx3KGKsmOv77/xTDvnm2otwTzQ1lNtxAtcyh/HGu 18 | 2uNn1BdHwB2KpBCA2ovXPqCCkpGggTMsdW7/XZnxg4g6aZ5x0bctsSFUK4c1wmf0 19 | stzrjI/hzHcCgYBMcwT/erR9+ZpQVjSk1WyjGEo+YSnErP52CoBdGYH2/zeSfpVK 20 | VvA4GVao9v6maToE/0594yeVBPylYQk77DlIVfZ4zb9Iqw+wh4HiSByzAImxASrk 21 | 31GDEjRuCrDTDAOFLb82zlp8tK2RJNqGGZUhjvNZssNSG6XzD4MGttp24QKBgG3Q 22 | olImLyD8g3aP85LcMARHM6ZqdMeg/t0wbm3wsDcvDWBJTNlYogFZ1RTezcEr3Kw0 23 | PNRuNEaSHb3oj/izvaZI0Prx9A3xZFiteZ7UmeXpzNf3zB28Napcp/GZBxSAjHzE 24 | hOuvfGhQtFPHD6bu15DrudvwzV5ZzGLdpPcKzSL5AoGAdZA3KukgU8PNMOJKmkWn 25 | AnXxvAiI2T9b8pS7EA3tvjVvsX4VLEQvSyIZKIhbobFAldW2zyns8oRHZuS/WPIQ 26 | ZtCdcvRuob1k4H9NU0WD2XD+9iCqS9pT/jtcqCf5TmQOGDOTQO4/Acv+3BjMhzLS 27 | T0DbLM5p3X0HyrgSkvXFwhc= 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /configs/renew_token.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | while sleep ${RENEW_TOKEN:-6h} 4 | do 5 | /auth_update.sh 6 | nginx -s reload 7 | done 8 | -------------------------------------------------------------------------------- /examples/aws-instance-role-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Action": [ 6 | "ecr:GetAuthorizationToken", 7 | "ecr:BatchCheckLayerAvailability", 8 | "ecr:GetDownloadUrlForLayer", 9 | "ecr:GetRepositoryPolicy", 10 | "ecr:DescribeRepositories", 11 | "ecr:ListImages", 12 | "ecr:BatchGetImage" 13 | ], 14 | "Resource": "*", 15 | "Effect": "Allow" 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /examples/kubernetes/daemonset.yaml: -------------------------------------------------------------------------------- 1 | kind: DaemonSet 2 | apiVersion: extensions/v1beta1 3 | metadata: 4 | labels: 5 | name: aws-ecr-proxy 6 | name: aws-ecr-proxy 7 | spec: 8 | template: 9 | metadata: 10 | labels: 11 | name: aws-ecr-proxy 12 | spec: 13 | containers: 14 | - name: aws-ecr-proxy 15 | image: catalinpan/aws-ecr-proxy 16 | imagePullPolicy: IfNotPresent 17 | ports: 18 | - containerPort: 443 19 | # the port can be changed to anything else 20 | hostPort: 5000 21 | protocol: TCP 22 | name: https 23 | - containerPort: 80 24 | protocol: TCP 25 | name: http 26 | env: 27 | - name: AWS_KEY 28 | value: 'YOUR_AWS_KEY' 29 | - name: AWS_SECRET 30 | value: 'YOUR_AWS_SECRET' 31 | - name: REGION 32 | value: "YOUR_REGION" 33 | livenessProbe: 34 | httpGet: 35 | path: /ping 36 | port: 80 37 | initialDelaySeconds: 60 38 | periodSeconds: 60 39 | timeoutSeconds: 5 40 | successThreshold: 1 41 | failureThreshold: 2 42 | resources: 43 | limits: 44 | cpu: 300m 45 | memory: 256Mi 46 | requests: 47 | cpu: 50m 48 | memory: 32Mi 49 | -------------------------------------------------------------------------------- /examples/kubernetes/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Deployment 3 | apiVersion: extensions/v1beta1 4 | metadata: 5 | labels: 6 | name: aws-ecr-proxy 7 | name: aws-ecr-proxy 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | name: aws-ecr-proxy 13 | template: 14 | metadata: 15 | labels: 16 | name: aws-ecr-proxy 17 | spec: 18 | containers: 19 | - name: aws-ecr-proxy 20 | image: catalinpan/aws-ecr-proxy 21 | imagePullPolicy: IfNotPresent 22 | ports: 23 | - containerPort: 80 24 | protocol: TCP 25 | name: http 26 | - containerPort: 443 27 | protocol: TCP 28 | name: https 29 | env: 30 | - name: AWS_KEY 31 | value: 'YOUR_AWS_KEY' 32 | - name: AWS_SECRET 33 | value: 'YOUR_AWS_SECRET' 34 | - name: REGION 35 | value: "YOUR_REGION" 36 | livenessProbe: 37 | httpGet: 38 | path: /ping 39 | port: 80 40 | initialDelaySeconds: 60 41 | periodSeconds: 60 42 | timeoutSeconds: 5 43 | successThreshold: 1 44 | failureThreshold: 2 45 | resources: 46 | limits: 47 | cpu: 300m 48 | memory: 256Mi 49 | requests: 50 | cpu: 50m 51 | memory: 32Mi 52 | -------------------------------------------------------------------------------- /examples/kubernetes/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | labels: 6 | name: aws-ecr-proxy 7 | name: aws-ecr-proxy 8 | spec: 9 | ports: 10 | - name: http 11 | port: 80 12 | targetPort: 80 13 | - name: https 14 | port: 443 15 | targetPort: 443 16 | selector: 17 | name: aws-ecr-proxy 18 | --------------------------------------------------------------------------------