Gitlab CE with build in Container Registry behind Traefik 2 with Letsencrypt

compose.yml

version: "3.6"
services:
  gitlab:
    image: gitlab/gitlab-ce
    volumes:
      - gitlab-data:/var/opt/gitlab
      - gitlab-logs:/var/log/gitlab
      - gitlab-config:/etc/gitlab
    networks:
      - traefik-public
      - default
    ports:
      - target: 22
        published: 4224
        mode: host
    environment:
      GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')"
    configs:
      - source: gitlab
        target: /omnibus_config.rb
    secrets:
      - gitlab_root_password
    deploy:
      resources:
        limits:
          memory: 8G
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik-public"

        - "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)"
        - "traefik.http.routers.gitlab.entrypoints=websecure"
        - "traefik.http.routers.gitlab.service=gitlab"
        - "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.gitlab.loadbalancer.server.port=80"

        - "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)"
        - "traefik.http.routers.registry.entrypoints=websecure"
        - "traefik.http.routers.registry.service=registry"
        - "traefik.http.routers.registry.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.registry.loadbalancer.server.port=5005"

configs:
  gitlab:
    file: ./gitlab.rb

secrets:
  gitlab_root_password:
    file: ./root_password.txt

volumes:
  gitlab-data:
  gitlab-logs:
  gitlab-config:

networks:
  traefik-public:
    external: true
  default:

deploy.sh

docker stack deploy -c compose.yml gitlab

gitlab.rb

external_url 'https://gitlab.your-domain.com/'
gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password')

# Needed to let gitlab work behind traefik
nginx['listen_https'] = false
nginx['listen_port'] = 80

gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com'
gitlab_rails['gitlab_shell_ssh_port'] = 4224

# container registry
registry_external_url 'http://registry.your-domain.com'
registry['enable'] = true
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5005
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
  "Host" => "$http_host",
  "X-Real-IP" => "$remote_addr",
  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

gitlab_rails['rack_attack_git_basic_auth'] = {
   'enabled' => true,
   'ip_whitelist' => ["127.0.0.1"],
   'maxretry' => 10,
   'findtime' => 600,
   'bantime' => 136000
}

Excellent! This helped me a lot in setting up traefik with gitlab+registry. In our particular use case I wanted to set up a gitlab instance with IP whitelisting for gitlab and open access to the container registry. However I order to acchieve this you need a special router in traefik which allows the docker login process (gitlab registry does not provide auth. Whenever auth is needed the user is forwarded to gitlab.your-domain.com/jwt/auth). Here is my compose extension, maybe it's helpful for somebody:

# Gitlab Registry auth
- traefik.http.routers.gitlab-registry-auth.rule=Host(`gitlab.your-domain.com`) && PathPrefix(`/jwt/auth`) && Query(`service=container_registry`)
- traefik.http.routers.gitlab-registry-auth.entrypoints=https
- traefik.http.routers.gitlab-registry-auth.tls=true
- traefik.http.routers.gitlab-registry-auth.service=gitlab

thank you so much for this comment, it saved my day, or more

Hello, could u help to share here your traefik stack configuration for gitlab

Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ

And here:

• traefik.http.routers.gitlab-registry-auth.rule=Host(gitlab.your-domain.com) && PathPrefix(/jwt/auth) && Query(service=container_registry)

does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(registry.your-domain.com)" Thanks!

Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ

Yes! Thats correct. Gitlab registry does not have an individual login process but when a user runs docker login some.registry.com, the auth endpoint from gitlab itself is used. Therefore if you want to ip whitelist gitlab but keep your registry open (or whitelist for another ip range), the jwt/auth endpoint needs to be excluded from the first whitelist.

And here:

• traefik.http.routers.gitlab-registry-auth.rule=Host(gitlab.your-domain.com) && PathPrefix(/jwt/auth) && Query(service=container_registry)

does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(registry.your-domain.com)" Thanks!

No, this is actually a gitlab internal query param. You could probably remove that but I noticed that whenever gitlab performs a login process which initiated from docker login it adds ?service=container_registry as a querry param, therefore I thought it to be wise to include that into the condition to narrow it down even more (https://doc.traefik.io/traefik/routing/routers/#query-and-queryregexp).

Greetings!

Hello, I believe the labels section in the provided compose.yml needs to be indented one block to the left.