By default there is a setup may or may not enabled gitlab
In this part we will setup container registry inside self hosted gitlab with Openssl based self genrated ssl. If you wish you can read Part1. Lets get started.
First we need generate SSL cert with Openssl in our gitlab server.
Certificate authority (CA)
openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Example-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
Example-Root-CA is an example, you can customize the name.
Domain name certificate
Let's say we have two domains gitlab.local and registry.gitlab.local that are hosted on your local machine.
First, create a file domains.ext that lists all your local domains:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = gitlab.local
DNS.3 = registry.gitlab.local
Now we need to generate localhost.key, localhost.csr, and localhost.crt:
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
The country / state / city / name in the first command can be changed.
Now we can setup registry inside gitlab.
Registry setup
First we need to locate ssl cert and key in /etc/gitlab/ssl
mv ./localhost.crt /etc/gitlab/ssl
mv ./localhost.key /etc/gitlab/ssl
Let’s open up our /etc/gitlab/gitlab.rb
file and modify.
...
################################################################################
## Container Registry settings
##! Docs: https://docs.gitlab.com/ce/administration/container_registry.html
################################################################################
registry_external_url 'https://registry.gitlab.local:5050'
##c Settings used by GitLab application
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "registry.gitlab.local"
gitlab_rails['registry_port'] = "5050"
gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
###! **Do not change the following 3 settings unless you know what you are
###! doing**
# gitlab_rails['registry_api_url'] = "http://localhost:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
### Settings used by Registry application
registry['enable'] = true
registry['health_storagedriver_enabled'] = false
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/localhost.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/localhost.key"
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
# registry['gid'] = nil
# registry['dir'] = "/var/opt/gitlab/registry"
# registry['registry_http_addr'] = "localhost:5000"
# registry['debug_addr'] = "localhost:5001"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
# registry['env'] = {
# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
# }
# registry['log_level'] = "info"
# registry['log_formatter'] = "text"
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
# registry['health_storagedriver_enabled'] = true
# registry['storage_delete_enabled'] = true
# registry['validation_enabled'] = false
# registry['autoredirect'] = false
# registry['compatibility_schema1_enabled'] = false
### Registry backend storage
###! Docs: https://docs.gitlab.com/ce/administration/container_registry.html#container-registry-storage-driver
registry['storage'] = {
's3' => {
'accesskey' => 'minio',
'secretkey' => 'miniostorage',
'bucket' => 'gitlab-registry',
'region' => 'us-east-1',
'regionendpoint' => 'http://minio.example.com:9000',
'secure' => false,
'encrypt' => false,
'v4Auth' => true
},
'redirect' => {
'disable' => true
}
}
...
Now I should explain something in this setup.
First off all when we create this setup we have to look if registry storage health check is enabled. We should first make it false if our minio bucket is free. It is a bug and only solution is make storage health check false. After all done you installed image to bucket you can then make health check enable.
Another thing is about registry s3 setup. We should define region as like in aws s3, without it gitlab will give us an exception. You can set any region as you wish and it doesnt matter.
For bucket it is the bucket that you generated in your minio s3 server.
Next thing is about nginx setup. Normally nginx setup for registry is located in the down of the gitlab.rb but for not to copying all the setup I have added it to registry setup.
Now we need to reconfigure gitlab setup. It will not affect anything in your current setup. It will only restart config for gilab.
gitlab-ctl reconfigure
That is it. Now we can login our registry from docker server and push images there.
docker login registry.gitlab.local:5050
If you get output like this:
Output
Login Succeeded
Then it means you are ready to push your images to custom made registry. That is it for now. If you have any problem with this setup please let me know with contact form. Thank you.
Top comments (1)
while try to push the docker image to custom registry it is showing "Retrying in 3 seconds"