Enable authentication for registry, without permitting creation of new accounts via JWT

Problem to solve

We get errors when pushing to our registry with Docker and Podman. Podman’s error is:

Error: writing blob: uploading layer to ... received unexpected HTTP status: 204 No Content

So I am reviewing the registry configuration under /var/opt/gitlab/registry/config.yml. I see that the configuration relies upon /jwt/auth for user authentication, but that URL results in 404, because JWT is not currently configured on our self-hosted instance of GitLab.

Use of JWT for authentication of the registry is recommended:

At the absolute minimum, make sure your Registry configuration has container_registry as the service and https://gitlab.example.com/jwt/auth as the realm:

auth:
  token:
    realm: https://gitlab.example.com/jwt/auth
    service: container_registry
    issuer: gitlab-issuer
    rootcertbundle: /root/certs/certbundle

If auth is not set up, users can pull Docker images without authentication.

But I don’t want to enable Just-In-Time account creation when activating JWT, because we want all new users to first register with SAML SSO accounts.

Configure the common settings to add jwt as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account.

Steps to reproduce

There is no JWT OmniAuth authenticator configured at this time. We require people to log in via SAML in order to create new accounts.

Configuration

/var/opt/gitlab/registry/config.yml should have a realm setting similar to:

auth:
  token:
    realm: https://gitlab.example.com/jwt/auth
    ...

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Self-hosted Runners

Versions

  • GitLab: 16.9.1
  • GitLab Runner: 16.8.0

Thanks for any help : )

It looks like I might just need the following in /etc/gitlab/gitlab.rb:

gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']

I should mention that when using Docker instead of Podman, I fail to log in at all:

# docker login dev-registry-opensource.ieee.org
Username: leaf-node
Password: 
Error response from daemon: Get "https://registry.gitlab.example.com/v2/": denied: access forbidden

Podman does seem to check the password accurately, because I can only log in with Podman when supplying a valid access token. That’s a bit odd, but interesting anyhow.

It looks like I was a bit off base here. The JWT SSO option is clearly for allowing logins using credentials via third party JWT authentication providers.

So now I may need to find a way to make GitLab expose /jwt/auth on the primary domain, so the registry can successfully authenticate.