Open kkvilekval opened 8 years ago
withinboredom
commented
8 years ago I deleted those. I setup my ssl lb to go to Portus and changed the registry to be insecure and used the ssl lb there as well. This should be the default in my opinion. Storing the unencrypted keys in plaintext is not ideal.
sshipway
commented
8 years ago The reason the template is setup this way is because registry:2 supports SSL natively but Portus does not, and I wanted the container to be able to auto-create a self-signed certificate if necessary. Using the Rancher load balancer was not (at the time) an option because it could not prompt for certificate selection (that is not now the case) and cannot be set to auto-create self-signed certs.
The Registry template is not supposed to be everything for everyone; this would not be possible in any case. Rather, it is supposed to be a fully self-contained solution that works and gives people a starting point to customise to their requirements, as you have done.
My preferred solution would be for Rancher itself to provide the authentication hook and web UI that Portus is being used for, so that the authnz could be fully integrated with the Rancher roles, but that may be a bit of a wait...
I was wondering if there is an issue with using rancher certificates in your registry-convoy. I downloaded the docker and rancher compose and modified
rancher-compose
lb: ... default_cert: mycert
But then I realized that you are using nginx for ssl termination and you custom portus was configuring nginx by default. I was thinking it would be possible to just skip it and have the the load-balancer ssl terminate using a rancher certificate. Is there an issue here?