Insecure registry

I’ve enabled the registry in my Gitlab server. It’s the latest (12.4.3) docker image, which is based on the omnibus package. As there is ingress controller inside Kubernetes I’m running gitlab without HTTPS. Is there an option to set docker registry to HTTP only too? The documentation lacks this information and only states that it is out of scope.

Neither of the solutions I have found in this forum worked (most of them are few years old). Can you please share the correct piece of gitlab.rb config?

1 Like

Hi Jan,

AFAIU, there is no HTTP option. GitLab container registry requires that you set registry_nginx['ssl_certificate'] and registry_nginx['ssl_certificate_key']

Solution found:

/etc/gitlab/gitlab.rb snippet:

registry_external_url 'http://registry.example.com'
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5001
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
  "Host" => "$http_host",
  "X-Real-IP" => "$remote_addr",
  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

and Kubernetes setup (only important lines):

apiVersion: apps/v1
kind: Deployment
spec:
    spec:
      containers:
        - name: gitlab
          image: gitlab/gitlab-ce:12.3.4-ce.0
          ports:
            - containerPort: 5001
              name: registry
----
apiVersion: v1
kind: Service
spec:
  type: NodePort
  ports:
    - protocol: TCP
      port: 5001
      name: registry
----
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
spec:
  rules:
    - host: registry.example.com
      http:
        paths:
        - path: /
          backend:
            servicePort: 5001
2 Likes