Gitlab CE with build in Container Registry behind Traefik 2 with Letsencrypt

compose.yml

version: "3.6"
services:
  gitlab:
    image: gitlab/gitlab-ce
    volumes:
      - gitlab-data:/var/opt/gitlab
      - gitlab-logs:/var/log/gitlab
      - gitlab-config:/etc/gitlab
    networks:
      - traefik-public
      - default
    ports:
      - target: 22
        published: 4224
        mode: host
    environment:
      GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')"
    configs:
      - source: gitlab
        target: /omnibus_config.rb
    secrets:
      - gitlab_root_password
    deploy:
      resources:
        limits:
          memory: 8G
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik-public"

        - "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)"
        - "traefik.http.routers.gitlab.entrypoints=websecure"
        - "traefik.http.routers.gitlab.service=gitlab"
        - "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.gitlab.loadbalancer.server.port=80"

        - "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)"
        - "traefik.http.routers.registry.entrypoints=websecure"
        - "traefik.http.routers.registry.service=registry"
        - "traefik.http.routers.registry.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.registry.loadbalancer.server.port=5005"

configs:
  gitlab:
    file: ./gitlab.rb

secrets:
  gitlab_root_password:
    file: ./root_password.txt

volumes:
  gitlab-data:
  gitlab-logs:
  gitlab-config:

networks:
  traefik-public:
    external: true
  default:

deploy.sh

docker stack deploy -c compose.yml gitlab

gitlab.rb

external_url 'https://gitlab.your-domain.com/'
gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password')

# Needed to let gitlab work behind traefik
nginx['listen_https'] = false
nginx['listen_port'] = 80

gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com'
gitlab_rails['gitlab_shell_ssh_port'] = 4224

# container registry
registry_external_url 'http://registry.your-domain.com'
registry['enable'] = true
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5005
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
  "Host" => "$http_host",
  "X-Real-IP" => "$remote_addr",
  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

gitlab_rails['rack_attack_git_basic_auth'] = {
   'enabled' => true,
   'ip_whitelist' => ["127.0.0.1"],
   'maxretry' => 10,
   'findtime' => 600,
   'bantime' => 136000
}

Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ

Yes! Thats correct. Gitlab registry does not have an individual login process but when a user runs docker login some.registry.com, the auth endpoint from gitlab itself is used. Therefore if you want to ip whitelist gitlab but keep your registry open (or whitelist for another ip range), the jwt/auth endpoint needs to be excluded from the first whitelist.

And here:

• traefik.http.routers.gitlab-registry-auth.rule=Host(gitlab.your-domain.com) && PathPrefix(/jwt/auth) && Query(service=container_registry)

does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(registry.your-domain.com)" Thanks!

No, this is actually a gitlab internal query param. You could probably remove that but I noticed that whenever gitlab performs a login process which initiated from docker login it adds ?service=container_registry as a querry param, therefore I thought it to be wise to include that into the condition to narrow it down even more (https://doc.traefik.io/traefik/routing/routers/#query-and-queryregexp).

Greetings!

Hello, I believe the labels section in the provided compose.yml needs to be indented one block to the left.