2 months ago
Hi everyone,
i'm currently deploying an application that depends on private python packages hosted on a private gitea registry. I’m looking for the best way to handle two specific challenges during the build phase:
1. IP Whitelisting for gitea: My gitea instance is behind a firewall. Since railway's build servers use dynamic IP addresses, what is the recommended way to allow railway to reach my registry? Does railway provide a range of outbound IPs for builds?
2. Passing credentials/tokens during build: I need to provide an authentication token to pip so it can access the private repository. What is the best practice for passing this token securely during the build phase (not just at runtime)?
Any examples of how you've set up private package managers with railway would be greatly appreciated!
Thanks in advance for the help!
7 Replies
2 months ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • about 2 months ago
2 months ago
Hey! Railway does support static outbound IP if you're on the pro plan; looks like you are.
1. Go to your service Settings Networking section.
2. Toggle "Enable Static IPs"
3. Note the assigned IPy4 address
4. Whitelist this IP in your Gitea firewall
5. Deploy your service to activate the static IP.
The static IP should apply to builds to I think; maybe worth a test https://docs.railway.com/reference/static-outbound-ips
For passing the access token during build, your builder can access environment variables just like production can.
https://docs.railway.com/guides/dockerfiles#using-variables-at-build-time
mykal
Hey! Railway does support static outbound IP if you're on the pro plan; looks like you are.1. Go to your service Settings Networking section.2. Toggle "Enable Static IPs"3. Note the assigned IPy4 address4. Whitelist this IP in your Gitea firewall5. Deploy your service to activate the static IP.The static IP should apply to builds to I think; maybe worth a test https://docs.railway.com/reference/static-outbound-ipsFor passing the access token during build, your builder can access environment variables just like production can.https://docs.railway.com/guides/dockerfiles#using-variables-at-build-time
2 months ago
I'll check that. I didn't know that a static ip is also used for builds.
ctrlshifti
I'll check that. I didn't know that a static ip is also used for builds.
2 months ago
If that doesn't work let me know, and I can keep brainstorming! Best of luck
mykal
If that doesn't work let me know, and I can keep brainstorming! Best of luck
3 days ago
Hey, I tried doing that today, but the request is being sent from a different IP address which is being blocked by the firewall. I have a static IP 208.77.xxx.xxx, but the request is actually coming from 34.1.xxx.xxx (building phase).
ctrlshifti
Hey, I tried doing that today, but the request is being sent from a different IP address which is being blocked by the firewall. I have a static IP 208.77.xxx.xxx, but the request is actually coming from 34.1.xxx.xxx (building phase).
3 days ago
Hey ctrlshifti, the static ip only covers your running service, not the build phase , which you already confirmed yourself by seeing that 34.1.x.x ip coming through.
the cleanest fix is to vendor your packages. just run pip download your-private-package -d ./vendor/ locally while you have access, then commit the .whl files to your repo. after that in your dockerfile just do COPY vendor/ /vendor/ and RUN pip install /vendor/*.whl.
that way pip never makes a network call during the build phase so your firewall becomes completely irrelevant
ilyass012
Hey ctrlshifti, the static ip only covers your running service, not the build phase , which you already confirmed yourself by seeing that 34.1.x.x ip coming through.the cleanest fix is to vendor your packages. just run pip download your-private-package -d ./vendor/ locally while you have access, then commit the .whl files to your repo. after that in your dockerfile just do COPY vendor/ /vendor/ and RUN pip install /vendor/*.whl.that way pip never makes a network call during the build phase so your firewall becomes completely irrelevant
3 days ago
Vendor the packages in your repo Run pip download your-private-package -d ./vendor/ locally (while you have access), commit the .whl files to your repo, then in your dockerfile install from local files:
dockerfile
COPY vendor/ /vendor/
RUN pip install /vendor/*.whl3 days ago
Hope this help you