We have a private installation of GitHub Enterprise and in our current environment we’re not able to use S3 due to security reasons.
We’re trying to wrap our heads around using rancher-compose to deploy repositories from our GitHub Enterprise. I’m aware that you can use the build: <git url> paradigm to build the image on the fly, but I’m not sure how best to approach this assuming I would have to add an ssh key from the user who is building / pulling the image so they can authenticate on our environment.
Basically, I am trying to find a quick way to deploy to our Rancher environment using rancher-compose without using A) the Public Docker Hub registry and B) Without using S3.
We’ve contemplated running the free version of the docker registry but without any real web UI to work with, it’s still not at a point where we feel comfortable using this in a production environment (also, all our code is in Github enterprise, so we could easily convert some of those to docker containers by including a few files).
Based on what you’re saying, I think this should work for you? As for authenticating against the environment (assuming you mean the Rancher environment, upper right hand corner in the UI), when you run rancher-compose, you pass in the URL and the API Key for the environment, so it would authenticate and be able to launch the service.
Thanks for the response… I’m not sure how well this would work. A few reasons I can think of:
The example uses a public Github URL, most of our docker configurations not only include a Dockerfile, but also requires support files to setup the image once it’s built (install script, other material, etc.). I guess these could be hosted “elsewhere” and pulled from within the Dockerfile, just seems messy
We can’t use Github.com because it’s public. GitHub Enterprise requires authentication for any connection (either basic authentication if you use a URL with https:// or public key if using the ssh clone method).
When I talked about authentication, I meant against our GitHub Enterprise instance (sorry, I should have been clearer). All requests to the github enterprise must be authenticated with a user/pass or ssh key.
The only workaround that I could see is to create a private registry and host images in the private registry and pull images from there.
Would that be a solution for you?
We could also add an enhancement request to add in the ability to rancher-compose to authenticate with GHE. Not sure if it’s even possible, but we could always ask.
I was actually thinking of the GHE integration with Rancher. Rancher already authenticates against GHE, so some of the foundation could already be there.
The ability to configure an SSH key or other method that would allow pulls from a GHE repository would be fantastic and in line with integration into a more corporate environment where things are self-hosted, but also secured.
In the interim, I guess our only choice is to setup a custom registry. Not ideal as the Private Registry from Docker doesn’t have much (if any if I remember correctly) Web UI (the Trusted Registry is an option, but not at this time for our org). Unless of course you have suggestions for alternative open source registry solutions!
I just made an issue in GitHub for you to track your request. Another possibility could be quay.io? I know that’s a popular one, but haven’t looked too much into it myself.
