-
-
Save Nielio/6845b6625211b5e25af0e12d08ecad60 to your computer and use it in GitHub Desktop.
| version: "3.6" | |
| services: | |
| gitlab: | |
| image: gitlab/gitlab-ce | |
| volumes: | |
| - gitlab-data:/var/opt/gitlab | |
| - gitlab-logs:/var/log/gitlab | |
| - gitlab-config:/etc/gitlab | |
| networks: | |
| - traefik-public | |
| - default | |
| ports: | |
| - target: 22 | |
| published: 4224 | |
| mode: host | |
| environment: | |
| GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')" | |
| configs: | |
| - source: gitlab | |
| target: /omnibus_config.rb | |
| secrets: | |
| - gitlab_root_password | |
| deploy: | |
| resources: | |
| limits: | |
| memory: 8G | |
| labels: | |
| - "traefik.enable=true" | |
| - "traefik.docker.network=traefik-public" | |
| - "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)" | |
| - "traefik.http.routers.gitlab.entrypoints=websecure" | |
| - "traefik.http.routers.gitlab.service=gitlab" | |
| - "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver" | |
| - "traefik.http.services.gitlab.loadbalancer.server.port=80" | |
| - "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)" | |
| - "traefik.http.routers.registry.entrypoints=websecure" | |
| - "traefik.http.routers.registry.service=registry" | |
| - "traefik.http.routers.registry.tls.certresolver=letsencryptresolver" | |
| - "traefik.http.services.registry.loadbalancer.server.port=5005" | |
| configs: | |
| gitlab: | |
| file: ./gitlab.rb | |
| secrets: | |
| gitlab_root_password: | |
| file: ./root_password.txt | |
| volumes: | |
| gitlab-data: | |
| gitlab-logs: | |
| gitlab-config: | |
| networks: | |
| traefik-public: | |
| external: true | |
| default: |
| docker stack deploy -c compose.yml gitlab |
| external_url 'https://gitlab.your-domain.com/' | |
| gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password') | |
| # Needed to let gitlab work behind traefik | |
| nginx['listen_https'] = false | |
| nginx['listen_port'] = 80 | |
| gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com' | |
| gitlab_rails['gitlab_shell_ssh_port'] = 4224 | |
| # container registry | |
| registry_external_url 'http://registry.your-domain.com' | |
| registry['enable'] = true | |
| gitlab_rails['registry_enabled'] = true | |
| registry_nginx['enable'] = true | |
| registry_nginx['listen_port'] = 5005 | |
| registry_nginx['listen_https'] = false | |
| registry_nginx['proxy_set_headers'] = { | |
| "Host" => "$http_host", | |
| "X-Real-IP" => "$remote_addr", | |
| "X-Forwarded-For" => "$proxy_add_x_forwarded_for", | |
| "X-Forwarded-Proto" => "https", | |
| "X-Forwarded-Ssl" => "on" | |
| } | |
| gitlab_rails['rack_attack_git_basic_auth'] = { | |
| 'enabled' => true, | |
| 'ip_whitelist' => ["127.0.0.1"], | |
| 'maxretry' => 10, | |
| 'findtime' => 600, | |
| 'bantime' => 136000 | |
| } |
Hello, could u help to share here your traefik stack configuration for gitlab
Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ
And here:
- traefik.http.routers.gitlab-registry-auth.rule=Host(
gitlab.your-domain.com) && PathPrefix(/jwt/auth) && Query(service=container_registry)
does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(registry.your-domain.com)" Thanks!
Did I understand you correctly, that these labels are needed for gitlab users to be able to log in via docker and then pull and push from/to the registry? @migasQ
Yes! Thats correct. Gitlab registry does not have an individual login process but when a user runs docker login some.registry.com, the auth endpoint from gitlab itself is used. Therefore if you want to ip whitelist gitlab but keep your registry open (or whitelist for another ip range), the jwt/auth endpoint needs to be excluded from the first whitelist.
And here:
- traefik.http.routers.gitlab-registry-auth.rule=Host(
gitlab.your-domain.com) && PathPrefix(/jwt/auth) && Query(service=container_registry)does "container_registry" correspond with the name of the service for the registry? As in the above example the name was just "registry". I mean this bit: "traefik.http.routers.registry.rule=Host(
registry.your-domain.com)" Thanks!
No, this is actually a gitlab internal query param. You could probably remove that but I noticed that whenever gitlab performs a login process which initiated from docker login it adds ?service=container_registry as a querry param, therefore I thought it to be wise to include that into the condition to narrow it down even more (https://doc.traefik.io/traefik/routing/routers/#query-and-queryregexp).
Greetings!
Hello, I believe the labels section in the provided compose.yml needs to be indented one block to the left.
THIS GIST SAVES LIVES!
I've been trying to get the whole thing working for days, with the (useless) help of ChatGPT and hundreds of docs, forum posts and tutorials - finally!!
Is it possible to use the same domain for gitlab and registry using Traefik?
Is it possible to use the same domain for gitlab and registry using Traefik?
Hi, I currently have those two labels in my GitLab compose file and this is working just fine:
- "traefik.http.routers.gitlab.rule=Host(
gitlab.${DOMAIN})" - "traefik.http.routers.gitlab-registry.rule=Host(
registry.gitlab.${DOMAIN})"
So if this is what you're trying to accomplish the answer is yes.
thank you so much for this comment, it saved my day, or more