In this part we will setup container registry inside self hosted gitlab with Openssl based self genrated ssl. If you wish you can read Part1. Lets get started. First we need generate SSL cert with Openssl in our gitlab server.
Certificate authority (CA)
1openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Example-Root-CA"
2openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
Example-Root-CA is an example, you can customize the name.
Domain name certificate
Let’s say we have two domains gitlab.local and registry.gitlab.local that are hosted on your local machine.
First, create a file domains.ext that lists all your local domains:
1authorityKeyIdentifier=keyid,issuer
2basicConstraints=CA:FALSE
3keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
4subjectAltName = @alt_names
5
6[alt_names]
7DNS.1 = localhost
8DNS.2 = gitlab.local
9DNS.3 = registry.gitlab.local
Now we need to generate localhost.key, localhost.csr, and localhost.crt:
1openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
2openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
The country / state / city / name in the first command can be changed.
Now we can setup registry inside gitlab.
Registry setup
First we need to locate ssl cert and key in /etc/gitlab/ssl
1mv ./localhost.crt /etc/gitlab/ssl
2mv ./localhost.key /etc/gitlab/ssl
Let’s open up our /etc/gitlab/gitlab.rb file and modify.
1...
2################################################################################
3## Container Registry settings
4##! Docs: https://docs.gitlab.com/ce/administration/container_registry.html
5################################################################################
6
7registry_external_url 'https://registry.gitlab.local:5050'
8
9##c Settings used by GitLab application
10gitlab_rails['registry_enabled'] = true
11gitlab_rails['registry_host'] = "registry.gitlab.local"
12gitlab_rails['registry_port'] = "5050"
13gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
14
15###! **Do not change the following 3 settings unless you know what you are
16###! doing**
17# gitlab_rails['registry_api_url'] = "http://localhost:5000"
18# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
19# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
20
21### Settings used by Registry application
22registry['enable'] = true
23registry['health_storagedriver_enabled'] = false
24registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/localhost.crt"
25registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/localhost.key"
26# registry['username'] = "registry"
27# registry['group'] = "registry"
28# registry['uid'] = nil
29# registry['gid'] = nil
30# registry['dir'] = "/var/opt/gitlab/registry"
31# registry['registry_http_addr'] = "localhost:5000"
32# registry['debug_addr'] = "localhost:5001"
33# registry['log_directory'] = "/var/log/gitlab/registry"
34# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
35# registry['env'] = {
36# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
37# }
38# registry['log_level'] = "info"
39# registry['log_formatter'] = "text"
40# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
41# registry['health_storagedriver_enabled'] = true
42# registry['storage_delete_enabled'] = true
43# registry['validation_enabled'] = false
44# registry['autoredirect'] = false
45# registry['compatibility_schema1_enabled'] = false
46
47### Registry backend storage
48###! Docs: https://docs.gitlab.com/ce/administration/container_registry.html#container-registry-storage-driver
49registry['storage'] = {
50 's3' => {
51 'accesskey' => 'minio',
52 'secretkey' => 'miniostorage',
53 'bucket' => 'gitlab-registry',
54 'region' => 'us-east-1',
55 'regionendpoint' => 'http://minio.example.com:9000',
56 'secure' => false,
57 'encrypt' => false,
58 'v4Auth' => true
59 },
60 'redirect' => {
61 'disable' => true
62 }
63}
64...
Now I should explain something in this setup. First off all when we create this setup we have to look if registry storage health check is enabled. We should first make it false if our minio bucket is free. It is a bug and only solution is make storage health check false. After all done you installed image to bucket you can then make health check enable. Another thing is about registry s3 setup. We should define region as like in aws s3, without it gitlab will give us an exception. You can set any region as you wish and it doesnt matter. For bucket it is the bucket that you generated in your minio s3 server. Next thing is about nginx setup. Normally nginx setup for registry is located in the down of the gitlab.rb but for not to copying all the setup I have added it to registry setup.
Now we need to reconfigure gitlab setup. It will not affect anything in your current setup. It will only restart config for gilab.
1gitlab-ctl reconfigure
That is it. Now we can login our registry from docker server and push images there.
1docker login registry.gitlab.local:5050
If you get output like this:
1Output
2Login Succeeded
Then it means you are ready to push your images to custom made registry. That is it for now. If you have any problem with this setup please let me know with contact form. Thank you.