DataLife Engine / Настраиваем GitLab Container Registry

Настраиваем GitLab Container Registry


Задача: настроить GitLab Container Registry через обратный прокси в GitLab Nginx

Включаем инклуд сторонних конфигов в GitLab Nginx:
vi /etc/gitlab/gitlab.rb
Меняем:
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"

На:
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/*.conf;"

Создаем базовый конфиг для домена реестра:
server {
    listen       80;
    server_name  registry.newsite.com;

    root /usr/share/nginx/html;

    location / {
        deny all;
    }

    location ^~ /.well-known {
        default_type 'text/plain';
        allow all;
    }

    error_log   /var/log/nginx/registry_newsite_com_error.log error;
    access_log  /var/log/nginx/registry_newsite_com_access.log;
}

Создадим необходимые каталоги:
mkdir -p /etc/nginx/conf.d &&  mkdir /var/log/nginx && mkdir -p /usr/share/nginx/html

Переконфигурируем GitLab:
gitlab-ctl reconfigure

Получаем валидный сертификат от LE:
certbot certonly -a webroot -w /usr/share/nginx/html -d rg.moneycat.asia

Дополняем конфиг домена реестра:
server {
    listen       443 ssl;
    server_name  registry.newsite.com;

    ssl_certificate /etc/letsencrypt/live/registry.newsite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/registry.newsite.com/privkey.pem;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    root /usr/share/nginx/html;

    location / {
        proxy_pass http://127.0.0.1:8090;
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        Host              $http_host;
        proxy_set_header        X-Real-IP         $remote_addr;
        proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Ssl   on;
    }

    location ^~ /.well-known {
        default_type 'text/plain';
        allow all;
    }

    error_log   /var/log/nginx/registry_newsite_com_ssl_error.log error;
    access_log  /var/log/nginx/registry_newsite_com_ssl_access.log;
}

Вносим изменения для активации реестра:
vi /etc/gitlab/gitlab.rb
registry_external_url 'https://registry.newsite.com'
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry_nginx['enable'] = true
registry_nginx['proxy_set_headers'] = {
  "Host" => "$http_host",
  "X-Real-IP" => "$remote_addr",
  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}
registry_nginx['listen_port'] = 8090
registry_nginx['listen_https'] = false

Переконфигурируем GitLab:
gitlab-ctl reconfigure

Проверяем аутентификацию и заливку образа:
docker login registry.newsite.com
docker build -t registry.newsite.com/test/test-1 .
docker push registry.newsite.com/test/test-1
15-10-2021, 14:47
Вернуться назад