I got a working instance of Gitlab, and I would like to activate the registry with a custom domain.
The main gitlab domain is gitlab.my.domain and the registry is available at registry.gitlab.my.domain.
Everything is behind an Apache2 reverse proxy server.
I have setup a Personal Access Tokens with full access (api, read_api, read_user, create_runner, k8s_proxy, read_repository, write_repository, read_registry, write_registry, ai_features, sudo, admin_mode, read_service_ping)
When I try to login to the registry I get:
$ docker login registry.gitlab.my.domain -u me --password-stdin <<< glpat-dEGdzb6kwzTQx9557Shx
Error response from daemon: Get "https://registry.gitlab.my.domain/v2/": denied: access forbidden
Here are the configuration files.
Apache vhost of the registry:
<VirtualHost *:80>
ServerName registry.gitlab.my.domain
Protocols h2 http/1.1
RewriteEngine On
RewriteCond %{SERVER_NAME} =registry.gitlab.my.domain [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /home/www/www-tools/gitlab
ServerName registry.gitlab.my.domain
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
Header set Host "registry.gitlab.my.domain"
Header always set Docker-Distribution-Api-Version "registry/2.0"
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
RequestHeader set X-Forwarded-Proto "https"
RewriteEngine On
ProxyPass / http://localhost:5050/ nocanon
ProxyPassReverse / http://localhost:5050/
AllowEncodedSlashes NoDecode
Protocols h2 h2c http/1.1
ErrorLog /var/log/apache2/registry.gitlab-error.log
CustomLog /var/log/apache2/registry.gitlab-access.log combined
SSLCertificateFile /etc/letsencrypt/live/registry.gitlab.my.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/registry.gitlab.my.domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
docker-compose with relevant parts of the gitlab.rb configuration I change:
version: '3.7'
services:
web:
image: 'gitlab/gitlab-ce:latest'
restart: always
container_name: gitlab
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://gitlab.my.domain'
nginx['listen_port'] = 8282
gitlab_rails['registry_enabled'] = true
registry_external_url 'http://registry.gitlab.my.domain'
gitlab_rails['registry_host'] = "registry.gitlab.my.domain"
registry_nginx['listen_port'] = 5050
registry_nginx['listen_https'] = false
EOS
ports:
- '8282:8282'
- '5050:5050'
- '2222:22'
volumes:
- '$GITLAB_HOME/config:/etc/gitlab'
- '$GITLAB_HOME/logs:/var/log/gitlab'
- '$GITLAB_HOME/data:/var/opt/gitlab'
shm_size: '256m'
networks:
- gitlab
gitlab-runner:
image: gitlab/gitlab-runner:alpine
container_name: gitlab-runner
restart: always
depends_on:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- '$GITLAB_HOME/gitlab-runner:/etc/gitlab-runner'
networks:
- gitlab
networks:
gitlab:
name: gitlab-network
Can someone please help me find what I am missing please ?
Thanks !