-
-
Save Nielio/6845b6625211b5e25af0e12d08ecad60 to your computer and use it in GitHub Desktop.
| version: "3.6" | |
| services: | |
| gitlab: | |
| image: gitlab/gitlab-ce | |
| volumes: | |
| - gitlab-data:/var/opt/gitlab | |
| - gitlab-logs:/var/log/gitlab | |
| - gitlab-config:/etc/gitlab | |
| networks: | |
| - traefik-public | |
| - default | |
| ports: | |
| - target: 22 | |
| published: 4224 | |
| mode: host | |
| environment: | |
| GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')" | |
| configs: | |
| - source: gitlab | |
| target: /omnibus_config.rb | |
| secrets: | |
| - gitlab_root_password | |
| deploy: | |
| resources: | |
| limits: | |
| memory: 8G | |
| labels: | |
| - "traefik.enable=true" | |
| - "traefik.docker.network=traefik-public" | |
| - "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)" | |
| - "traefik.http.routers.gitlab.entrypoints=websecure" | |
| - "traefik.http.routers.gitlab.service=gitlab" | |
| - "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver" | |
| - "traefik.http.services.gitlab.loadbalancer.server.port=80" | |
| - "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)" | |
| - "traefik.http.routers.registry.entrypoints=websecure" | |
| - "traefik.http.routers.registry.service=registry" | |
| - "traefik.http.routers.registry.tls.certresolver=letsencryptresolver" | |
| - "traefik.http.services.registry.loadbalancer.server.port=5005" | |
| configs: | |
| gitlab: | |
| file: ./gitlab.rb | |
| secrets: | |
| gitlab_root_password: | |
| file: ./root_password.txt | |
| volumes: | |
| gitlab-data: | |
| gitlab-logs: | |
| gitlab-config: | |
| networks: | |
| traefik-public: | |
| external: true | |
| default: |
| docker stack deploy -c compose.yml gitlab |
| external_url 'https://gitlab.your-domain.com/' | |
| gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password') | |
| # Needed to let gitlab work behind traefik | |
| nginx['listen_https'] = false | |
| nginx['listen_port'] = 80 | |
| gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com' | |
| gitlab_rails['gitlab_shell_ssh_port'] = 4224 | |
| # container registry | |
| registry_external_url 'http://registry.your-domain.com' | |
| registry['enable'] = true | |
| gitlab_rails['registry_enabled'] = true | |
| registry_nginx['enable'] = true | |
| registry_nginx['listen_port'] = 5005 | |
| registry_nginx['listen_https'] = false | |
| registry_nginx['proxy_set_headers'] = { | |
| "Host" => "$http_host", | |
| "X-Real-IP" => "$remote_addr", | |
| "X-Forwarded-For" => "$proxy_add_x_forwarded_for", | |
| "X-Forwarded-Proto" => "https", | |
| "X-Forwarded-Ssl" => "on" | |
| } | |
| gitlab_rails['rack_attack_git_basic_auth'] = { | |
| 'enabled' => true, | |
| 'ip_whitelist' => ["127.0.0.1"], | |
| 'maxretry' => 10, | |
| 'findtime' => 600, | |
| 'bantime' => 136000 | |
| } |
Thanks so much! I was pulling my hair out trying to get this to work.
Excellent! This helped me a lot in setting up traefik with gitlab+registry. In our particular use case I wanted to set up a gitlab instance with IP whitelisting for gitlab and open access to the container registry. However I order to acchieve this you need a special router in traefik which allows the docker login process (gitlab registry does not provide auth. Whenever auth is needed the user is forwarded to gitlab.your-domain.com/jwt/auth). Here is my compose extension, maybe it's helpful for somebody:
# Gitlab Registry auth
- traefik.http.routers.gitlab-registry-auth.rule=Host(`gitlab.your-domain.com`) && PathPrefix(`/jwt/auth`) && Query(`service=container_registry`)
- traefik.http.routers.gitlab-registry-auth.entrypoints=https
- traefik.http.routers.gitlab-registry-auth.tls=true
- traefik.http.routers.gitlab-registry-auth.service=gitlab
thx!
Hi, was pretty seamless experience until I tried to use ssh.
I followed the usual steps like described in the official gitlab docs but something is wrong since ssh always wants to fall back to password.
Do you have any advice / experience?
Best Felix
Excellent! This helped me a lot in setting up traefik with gitlab+registry. In our particular use case I wanted to set up a gitlab instance with IP whitelisting for gitlab and open access to the container registry. However I order to acchieve this you need a special router in traefik which allows the docker login process (gitlab registry does not provide auth. Whenever auth is needed the user is forwarded to
gitlab.your-domain.com/jwt/auth). Here is my compose extension, maybe it's helpful for somebody:# Gitlab Registry auth - traefik.http.routers.gitlab-registry-auth.rule=Host(`gitlab.your-domain.com`) && PathPrefix(`/jwt/auth`) && Query(`service=container_registry`) - traefik.http.routers.gitlab-registry-auth.entrypoints=https - traefik.http.routers.gitlab-registry-auth.tls=true - traefik.http.routers.gitlab-registry-auth.service=gitlab
thank you so much for this comment, it saved my day, or more
Hello, could u help to share here your traefik stack configuration for gitlab
Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ
And here:
- traefik.http.routers.gitlab-registry-auth.rule=Host(
gitlab.your-domain.com) && PathPrefix(/jwt/auth) && Query(service=container_registry)
does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(registry.your-domain.com)" Thanks!
Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ
Yes! Thats correct. Gitlab registry does not have an individual login process but when a user runs docker login some.registry.com, the auth endpoint from gitlab itself is used. Therefore if you want to ip whitelist gitlab but keep your registry open (or whitelist for another ip range), the jwt/auth endpoint needs to be excluded from the first whitelist.
And here:
- traefik.http.routers.gitlab-registry-auth.rule=Host(
gitlab.your-domain.com) && PathPrefix(/jwt/auth) && Query(service=container_registry)does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(
registry.your-domain.com)" Thanks!
No, this is actually a gitlab internal query param. You could probably remove that but I noticed that whenever gitlab performs a login process which initiated from docker login it adds ?service=container_registry as a querry param, therefore I thought it to be wise to include that into the condition to narrow it down even more (https://doc.traefik.io/traefik/routing/routers/#query-and-queryregexp).
Greetings!
Hello, I believe the labels section in the provided compose.yml needs to be indented one block to the left.
Thank you for posting this!
gitlab.rblines 5 and 6 fixed the setup I've been tinkering with for almost three days now