add capability to support non resolveable upstreams

Dockerfile

@@ -63,6 +63,8 @@ EXPOSE 8082
 ENV REGISTRIES="k8s.gcr.io gcr.io quay.io"
 # A space delimited list of registry:user:password to inject authentication for
 ENV AUTH_REGISTRIES="some.authenticated.registry:oneuser:onepassword another.registry:user:password"
+# A space delimited list of domain=IP1,IP2 to inject upstream -> server mapping for
+ENV UPSTREAM_MAPPINGS=""
 # Should we verify upstream's certificates? Default to true.
 ENV VERIFY_SSL="true"
 # Enable debugging mode; this inserts mitmproxy/mitmweb between the CONNECT proxy and the caching layer

README.md

@@ -87,6 +87,8 @@ for this to work it requires inserting a root CA certificate into system trusted
   - `hostname`s listed here should be listed in the REGISTRIES environment as well, so they can be intercepted.
 - Env `AUTH_REGISTRIES_DELIMITER` to change the separator between authentication info. By default, a space: "` `". If you use keys that contain spaces (as with Google Cloud Registry), you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=";;;"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:user1:pass1;;;registry2.com:user2:pass2`.
 - Env `AUTH_REGISTRY_DELIMITER` to change the separator between authentication info *parts*. By default, a colon: "`:`". If you use keys that contain single colons, you should update this variable, e.g. setting it to `AUTH_REGISTRIES_DELIMITER=":::"`. In that case, `AUTH_REGISTRIES` could contain something like `registry1.com:::user1:::pass1 registry2.com:::user2:::pass2`.
+- Env `UPSTREAM_MAPPINGS` to configure upstream server mappings (similar in functionality to /etc/hosts entries but with round-robin selection).
+Useful when configured resolvers are unable to resolve a host. e.g. `UPSTREAM_MAPPINGS="registry1=10.0.1.10:443,10.0.1.11 registry2=5.0.1.10"`
 - Timeouts ENVS - all of them can pe specified to control different timeouts, and if not set, the defaults will be the ones from `Dockerfile`. The directives will be added into `http` block.:
   - SEND_TIMEOUT : see [send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout)
   - CLIENT_BODY_TIMEOUT : see [client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout)

entrypoint.sh

@@ -38,6 +38,30 @@ else
     echo "Not using resolver config, keep existing '$confpath' -- mounted by user?"
 fi
 
+# Generate nginx upstream blocks into file. Function similar to a /etc/hosts file but includes round-robin selection
+# e.g when UPSTREAM_MAPPINGS="registry1=10.0.1.10:443,10.0.1.11 registry2=5.0.1.10", the following file is generated
+# upstream registry1 {
+#         server 10.0.1.10:443;
+#         server 10.0.1.11;
+# }
+# upstream registry2 {
+#         server 5.0.1.10;
+# }
+echo -n "" >> /etc/nginx/upstreams.conf
+
+if [ ! -z "$UPSTREAM_MAPPINGS" ]; then
+
+    for UPSTREAM in ${UPSTREAM_MAPPINGS}; do
+        echo "upstream ${UPSTREAM%=*} {" >> /etc/nginx/upstreams.conf
+        comma_separated_hosts="${UPSTREAM#*=}"
+        hosts=`echo $comma_separated_hosts | tr ',' ' '`
+        for host in ${hosts}; do
+            echo -e "\tserver $host;" >> /etc/nginx/upstreams.conf
+        done
+        echo "}" >> /etc/nginx/upstreams.conf
+    done
+fi
+
 # The list of SAN (Subject Alternative Names) for which we will create a TLS certificate.
 ALLDOMAINS=""
 

nginx.conf

@@ -78,6 +78,9 @@ http {
 
     gzip  off;
 
+    # Entrypoint generates the upstreams.conf config.
+    include /etc/nginx/upstreams.conf;
+
     # Entrypoint generates the proxy_cache_path here, so it is configurable externally.
     include /etc/nginx/conf.d/cache_max_size.conf;