-
-
Save Nielio/6845b6625211b5e25af0e12d08ecad60 to your computer and use it in GitHub Desktop.
version: "3.6" | |
services: | |
gitlab: | |
image: gitlab/gitlab-ce | |
volumes: | |
- gitlab-data:/var/opt/gitlab | |
- gitlab-logs:/var/log/gitlab | |
- gitlab-config:/etc/gitlab | |
networks: | |
- traefik-public | |
- default | |
ports: | |
- target: 22 | |
published: 4224 | |
mode: host | |
environment: | |
GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')" | |
configs: | |
- source: gitlab | |
target: /omnibus_config.rb | |
secrets: | |
- gitlab_root_password | |
deploy: | |
resources: | |
limits: | |
memory: 8G | |
labels: | |
- "traefik.enable=true" | |
- "traefik.docker.network=traefik-public" | |
- "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)" | |
- "traefik.http.routers.gitlab.entrypoints=websecure" | |
- "traefik.http.routers.gitlab.service=gitlab" | |
- "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver" | |
- "traefik.http.services.gitlab.loadbalancer.server.port=80" | |
- "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)" | |
- "traefik.http.routers.registry.entrypoints=websecure" | |
- "traefik.http.routers.registry.service=registry" | |
- "traefik.http.routers.registry.tls.certresolver=letsencryptresolver" | |
- "traefik.http.services.registry.loadbalancer.server.port=5005" | |
configs: | |
gitlab: | |
file: ./gitlab.rb | |
secrets: | |
gitlab_root_password: | |
file: ./root_password.txt | |
volumes: | |
gitlab-data: | |
gitlab-logs: | |
gitlab-config: | |
networks: | |
traefik-public: | |
external: true | |
default: |
docker stack deploy -c compose.yml gitlab |
external_url 'https://gitlab.your-domain.com/' | |
gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password') | |
# Needed to let gitlab work behind traefik | |
nginx['listen_https'] = false | |
nginx['listen_port'] = 80 | |
gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com' | |
gitlab_rails['gitlab_shell_ssh_port'] = 4224 | |
# container registry | |
registry_external_url 'http://registry.your-domain.com' | |
registry['enable'] = true | |
gitlab_rails['registry_enabled'] = true | |
registry_nginx['enable'] = true | |
registry_nginx['listen_port'] = 5005 | |
registry_nginx['listen_https'] = false | |
registry_nginx['proxy_set_headers'] = { | |
"Host" => "$http_host", | |
"X-Real-IP" => "$remote_addr", | |
"X-Forwarded-For" => "$proxy_add_x_forwarded_for", | |
"X-Forwarded-Proto" => "https", | |
"X-Forwarded-Ssl" => "on" | |
} | |
gitlab_rails['rack_attack_git_basic_auth'] = { | |
'enabled' => true, | |
'ip_whitelist' => ["127.0.0.1"], | |
'maxretry' => 10, | |
'findtime' => 600, | |
'bantime' => 136000 | |
} |
Excellent! This helped me a lot in setting up traefik with gitlab+registry. In our particular use case I wanted to set up a gitlab instance with IP whitelisting for gitlab and open access to the container registry. However I order to acchieve this you need a special router in traefik which allows the docker login process (gitlab registry does not provide auth. Whenever auth is needed the user is forwarded to
gitlab.your-domain.com/jwt/auth
). Here is my compose extension, maybe it's helpful for somebody:# Gitlab Registry auth - traefik.http.routers.gitlab-registry-auth.rule=Host(`gitlab.your-domain.com`) && PathPrefix(`/jwt/auth`) && Query(`service=container_registry`) - traefik.http.routers.gitlab-registry-auth.entrypoints=https - traefik.http.routers.gitlab-registry-auth.tls=true - traefik.http.routers.gitlab-registry-auth.service=gitlab
thank you so much for this comment, it saved my day, or more
Hello, could u help to share here your traefik stack configuration for gitlab
Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ
And here:
- traefik.http.routers.gitlab-registry-auth.rule=Host(
gitlab.your-domain.com
) && PathPrefix(/jwt/auth
) && Query(service=container_registry
)
does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(registry.your-domain.com
)" Thanks!
Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ
Yes! Thats correct. Gitlab registry does not have an individual login process but when a user runs docker login some.registry.com
, the auth
endpoint from gitlab itself is used. Therefore if you want to ip whitelist gitlab but keep your registry open (or whitelist for another ip range), the jwt/auth
endpoint needs to be excluded from the first whitelist.
And here:
- traefik.http.routers.gitlab-registry-auth.rule=Host(
gitlab.your-domain.com
) && PathPrefix(/jwt/auth
) && Query(service=container_registry
)does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(
registry.your-domain.com
)" Thanks!
No, this is actually a gitlab internal query param. You could probably remove that but I noticed that whenever gitlab performs a login process which initiated from docker login
it adds ?service=container_registry
as a querry param, therefore I thought it to be wise to include that into the condition to narrow it down even more (https://doc.traefik.io/traefik/routing/routers/#query-and-queryregexp).
Greetings!
Hello, I believe the labels section in the provided compose.yml needs to be indented one block to the left.
Hi, was pretty seamless experience until I tried to use ssh.
I followed the usual steps like described in the official gitlab docs but something is wrong since ssh always wants to fall back to password.
Do you have any advice / experience?
Best Felix