• Design Choices
  • Required
  • Optional
• Configuration
• Installation parameters
• Chart configuration examples
  • pullSecrets
  • tolerations
  • annotations
• Enable the sub-chart
• Configuring the image
• Configuring the service
• Configuring the ingress
• Configuring TLS
  • Configuring TLS for the debug port
• Configuring the networkpolicy
  • Example policy for preventing connections to all internal endpoints
• Configuring KEDA
  • Example policy for preventing connections to all internal endpoints
• Defining the Registry Configuration
  • httpSecret
  • Notification Secret
  • Redis cache Secret
  • authEndpoint
  • certificate
  • readiness and liveness probe
  • validation
    • manifests
  • notifications
  • hpa
  • storage
  • middleware.storage
    • keypairid variants
  • debug
  • health
  • reporting
  • profiling
  • database
    • Creating the database
  • gc
  • Redis cache
    • Sentinels
• Garbage Collection
  • Manual Garbage Collection
  • Running administrative commands against the Container Registry

Using the Container Registry

The registry sub-chart provides the Registry component to a complete cloud-native GitLab deployment on Kubernetes. This sub-chart makes use of the upstream registry container containing Docker Distribution. This chart is composed of 3 primary parts: Service, Deployment, and ConfigMap.

All configuration is handled according to the official Registry configuration documentation using /etc/docker/registry/config.yml variables provided to the Deployment populated from the ConfigMap. The ConfigMap overrides the upstream defaults, but is based on them. See below for more details:

• distribution/cmd/registry/config-example.yml
• distribution-library-image/config-example.yml

Design Choices

A Kubernetes Deployment was chosen as the deployment method for this chart to allow for simple scaling of instances, while allowing for rolling updates.

This chart makes use of two required secrets and one optional:

Required

• global.registry.certificate.secret: A global secret that will contain the public certificate bundle to verify the authentication tokens provided by the associated GitLab instance(s). See documentation on using GitLab as an auth endpoint.
• global.registry.httpSecret.secret: A global secret that will contain the shared secret between registry pods.

Optional

• profiling.stackdriver.credentials.secret: If Stackdriver profiling is enabled and you need to provide explicit service account credentials, then the value in this secret (in the credentials key by default) is the GCP service account JSON credentials. If you are using GKE and are providing service accounts to your workloads using Workload Identity (or node service accounts, although this is not recommended), then this secret is not required and should not be supplied. In either case, the service account requires the role roles/cloudprofiler.agent or equivalent manual permissions

Configuration

We will describe all the major sections of the configuration below. When configuring from the parent chart, these values will be:

registry:
  enabled:
  maintenance:
    readonly:
      enabled: false
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
  image:
    tag: 'v3.78.0-gitlab'
    pullPolicy: IfNotPresent
  annotations:
  service:
    type: ClusterIP
    name: registry
  httpSecret:
    secret:
    key:
  authEndpoint:
  tokenIssuer:
  certificate:
    secret: gitlab-registry
    key: registry-auth.crt
  deployment:
    terminationGracePeriodSeconds: 30
  draintimeout: '0'
  hpa:
    minReplicas: 2
    maxReplicas: 10
    cpu:
      targetAverageUtilization: 75
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 300
  storage:
    secret:
    key: storage
    extraKey:
  validation:
    disabled: true
    manifests:
      referencelimit: 0
      payloadsizelimit: 0
      urls:
        allow: []
        deny: []
  notifications: {}
  tolerations: []
  ingress:
    enabled: false
    tls:
      enabled: true
      secretName: redis
    annotations:
    configureCertmanager:
    proxyReadTimeout:
    proxyBodySize:
    proxyBuffering:
  networkpolicy:
    enabled: false
    egress:
      enabled: false
      rules: []
    ingress:
      enabled: false
      rules: []
  tls:
    enabled: false
    secretName:
    verify: true
    caSecretName:

If you chose to deploy this chart as a standalone, remove the registry at the top level.

Installation parameters

Chart configuration examples

pullSecrets

pullSecrets allows you to authenticate to a private registry to pull images for a pod.

Additional details about private registries and their authentication methods can be found in the Kubernetes documentation.

Below is an example use of pullSecrets:

image:
  repository: my.registry.repository
  tag: latest
  pullPolicy: Always
  pullSecrets:
  - name: my-secret-name
  - name: my-secondary-secret-name

tolerations

tolerations allow you schedule pods on tainted worker nodes

Below is an example use of tolerations:

tolerations:
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoSchedule"
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoExecute"

annotations

annotations allows you to add annotations to the registry pods.

Below is an example use of annotations

annotations:
  kubernetes.io/example-annotation: annotation-value

Enable the sub-chart

The way we’ve chosen to implement compartmentalized sub-charts includes the ability to disable the components that you may not want in a given deployment. For this reason, the first setting you should decide on is enabled.

By default, Registry is enabled out of the box. Should you wish to disable it, set enabled: false.

Configuring the image

This section details the settings for the container image used by this sub-chart’s Deployment. You can change the included version of the Registry and pullPolicy.

Default settings:

• tag: 'v3.78.0-gitlab'
• pullPolicy: 'IfNotPresent'

Configuring the service

This section controls the name and type of the Service. These settings will be populated by values.yaml.

By default, the Service is configured as:

Configuring the ingress

This section controls the registry Ingress.

Configuring TLS

Container Registry supports TLS which secures its communication with other components, including nginx-ingress.

Prerequisites to configure TLS:

• The TLS certificate must include the Registry Service host name (for example, RELEASE-registry.default.svc) in the Common Name (CN) or Subject Alternate Name (SAN).
• After the TLS certificate generates:
  • Create a Kubernetes TLS Secret
  • Create another Secret that only contains the CA certificate of the TLS certificate with ca.crt key.

To enable TLS:

1. Set registry.tls.enabled to true.
2. Set global.hosts.registry.protocol to https.
3. Pass the Secret names to registry.tls.secretName and global.certificates.customCAs accordingly.

When registry.tls.verify is true, you must pass the CA certificate Secret name to registry.tls.caSecretName. This is necessary for self-signed certificates and custom Certificate Authorities. This Secret is used by NGINX to verify the TLS certificate of Registry.

For example:

global:
  certificates:
    customCAs:
    - secret: registry-tls-ca
  hosts:
    registry:
      protocol: https

registry:
  tls:
    enabled: true
    secretName: registry-tls
    verify: true
    caSecretName: registry-tls-ca

Configuring TLS for the debug port

The Registry debug port also supports TLS. The debug port is used for the Kubernetes liveness and readiness checks as well as exposing a /metrics endpoint for Prometheus (if enabled).

TLS can be enabled for by setting registry.debug.tls.enabled to true. A Kubernetes TLS Secret can be provided in registry.debug.tls.secretName dedicated for use in the debug port’s TLS configuration. If a dedicated secret is not specified, the debug configuration will fall back to sharing registry.tls.secretName with the registry’s regular TLS configuration.

For Prometheus to scrape the /metrics/ endpoint using https - additional configuration is required for the certificate’s CommonName attribute or a SubjectAlternativeName entry. See Configuring Prometheus to scrape TLS-enabled endpoints for those requirements.

Configuring the networkpolicy

This section controls the registry NetworkPolicy. This configuration is optional and is used to limit egress and Ingress of the registry to specific endpoints. and Ingress to specific endpoints.

Example policy for preventing connections to all internal endpoints

The Registry service normally requires egress connections to object storage, Ingress connections from Docker clients, and kube-dns for DNS lookups. This adds the following network restrictions to the Registry service:

• All egress requests to the local network on 10.0.0.0/8 port 53 are allowed (for kubeDNS)
• Other egress requests to the local network on 10.0.0.0/8 are restricted
• Egress requests outside of the 10.0.0.0/8 are allowed

Note that the registry service requires outbound connectivity to the public internet for images on external object storage

networkpolicy:
  enabled: true
  egress:
    enabled: true
    # The following rules enable traffic to all external
    # endpoints, except the local
    # network (except DNS requests)
    rules:
      - to:
        - ipBlock:
            cidr: 10.0.0.0/8
        ports:
        - port: 53
          protocol: UDP
      - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
            - 10.0.0.0/8

Configuring KEDA

This keda section enables the installation of KEDA ScaledObjects instead of regular HorizontalPodAutoscalers. This configuration is optional and can be used when there is a need for autoscaling based on custom or external metrics.

Most settings default to the values set in the hpa section where applicable.

If the following are true, CPU and memory triggers are added automatically based on the CPU and memory thresholds set in the hpa section:

• triggers is not set.
• The corresponding request.cpu.request or request.memory.request setting is also set to a non-zero value.

If no triggers are set, the ScaledObject is not created.

Refer to the KEDA documentation for more details about those settings.

Example policy for preventing connections to all internal endpoints

The Registry service normally requires egress connections to object storage, Ingress connections from Docker clients, and kube-dns for DNS lookups. This adds the following network restrictions to the Registry service:

• All egress requests to the local network on 10.0.0.0/8 port 53 are allowed (for kubeDNS)
• Other egress requests to the local network on 10.0.0.0/8 are restricted
• Egress requests outside of the 10.0.0.0/8 are allowed

Note that the registry service requires outbound connectivity to the public internet for images on external object storage

networkpolicy:
  enabled: true
  egress:
    enabled: true
    # The following rules enable traffic to all external
    # endpoints, except the local
    # network (except DNS requests)
    rules:
      - to:
        - ipBlock:
            cidr: 10.0.0.0/8
        ports:
        - port: 53
          protocol: UDP
      - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
            - 10.0.0.0/8

Defining the Registry Configuration

The following properties of this chart pertain to the configuration of the underlying registry container. Only the most critical values for integration with GitLab are exposed. For this integration, we make use of the auth.token.x settings of Docker Distribution, controlling authentication to the registry via JWT authentication tokens.

httpSecret

Field httpSecret is a map that contains two items: secret and key.

The content of the key this references correlates to the http.secret value of registry. This value should be populated with a cryptographically generated random string.

The shared-secrets job will automatically create this secret if not provided. It will be filled with a securely generated 128 character alpha-numeric string that is base64 encoded.

To create this secret manually:

kubectl create secret generic gitlab-registry-httpsecret --from-literal=secret=strongrandomstring

Notification Secret

Notification Secret is utilized for calling back to the GitLab application in various ways, such as for Geo to help manage syncing Container Registry data between primary and secondary sites.

The notificationSecret secret object will be automatically created if not provided, when the shared-secrets feature is enabled.

To create this secret manually:

kubectl create secret generic gitlab-registry-notification --from-literal=secret=[\"strongrandomstring\"]

Then proceed to set

global:
  # To provide your own secret
  registry:
    notificationSecret:
        secret: gitlab-registry-notification
        key: secret

  # If utilising Geo, and wishing to sync the container registry
  geo:
    registry:
      replication:
        enabled: true
        primaryApiUrl: <URL to primary registry>

Ensuring the secret value is set to the name of the secret created above

Redis cache Secret

The Redis cache Secret is used when global.redis.auth.enabled is set to true.

When the shared-secrets feature is enabled, the gitlab-redis-secret secret object is automatically created if not provided.

To create this secret manually, see the Redis password instructions.

authEndpoint

The authEndpoint field is a string, providing the URL to the GitLab instance(s) that the registry will authenticate to.

The value should include the protocol and hostname only. The chart template will automatically append the necessary request path. The resulting value will be populated to auth.token.realm inside the container. For example: authEndpoint: "https://gitlab.example.com"

By default this field is populated with the GitLab hostname configuration set by the Global Settings.

certificate

The certificate field is a map containing two items: secret and key.

secret is a string containing the name of the Kubernetes Secret that houses the certificate bundle to be used to verify the tokens created by the GitLab instance(s).

key is the name of the key in the Secret which houses the certificate bundle that will be provided to the registry container as auth.token.rootcertbundle.

Default Example:

certificate:
  secret: gitlab-registry
  key: registry-auth.crt

readiness and liveness probe

By default there is a readiness and liveness probe configured to check /debug/health on port 5001 which is the debug port.

validation

The validation field is a map that controls the Docker image validation process in the registry. When image validation is enabled the registry rejects windows images with foreign layers, unless the manifests.urls.allow field within the validation stanza is explicitly set to allow those layer urls.

Validation only happens during manifest push, so images already present in the registry are not affected by changes to the values in this section.

The image validation is turned off by default.

To enable image validation you need to explicitly set registry.validation.disabled: false.

manifests

The manifests field allows configuration of validation policies particular to manifests.

The urls section contains both allow and deny fields. For manifest layers which contain URLs to pass validation, that layer must match one of the regular expressions in the allow field, while not matching any regular expression in the deny field.

notifications

The notifications field is used to configure Registry notifications. It has an empty hash as default value.

An example setting will look like the following:

notifications:
  endpoints:
    - name: FooListener
      url: https://foolistener.com/event
      timeout: 500ms
      threshold: 10
      backoff: 1s
    - name: BarListener
      url: https://barlistener.com/event
      timeout: 100ms
      threshold: 3
      backoff: 1s
  events:
    includereferences: true

hpa

The hpa field is an object, controlling the number of registry instances to create as a part of the set. This defaults to a minReplicas value of 2, a maxReplicas value of 10, and configures the cpu.targetAverageUtilization to 75%.

storage

storage:
  secret:
  key: config
  extraKey:

The storage field is a reference to a Kubernetes Secret and associated key. The content of this secret is taken directly from Registry Configuration: storage. Please refer to that documentation for more details.

Examples for AWS s3 and Google GCS drivers can be found in examples/objectstorage:

• registry.s3.yaml
• registry.gcs.yaml

For S3, make sure you give the correct permissions for registry storage. For more information about storage configuration, see Container Registry storage driver in the administration documentation.

Place the contents of the storage block into the secret, and provide the following as items to the storage map:

• secret: name of the Kubernetes Secret housing the YAML block.
• key: name of the key in the secret to use. Defaults to config.
• extraKey: (optional) name of an extra key in the secret, which will be mounted to /etc/docker/registry/storage/${extraKey} within the container. This can be used to provide the keyfile for the gcs driver.

# Example using S3
kubectl create secret generic registry-storage \
    --from-file=config=registry-storage.yaml

# Example using GCS with JSON key
# - Note: `registry.storage.extraKey=gcs.json`
kubectl create secret generic registry-storage \
    --from-file=config=registry-storage.yaml \
    --from-file=gcs.json=example-project-382839-gcs-bucket.json

You can disable the redirect for the storage driver, ensuring that all traffic flows through the Registry service instead of redirecting to another backend:

storage:
  secret: example-secret
  key: config
  redirect:
    disable: true

If you chose to use the filesystem driver:

• You will need to provide persistent volumes for this data.
• hpa.minReplicas should be set to 1
• hpa.maxReplicas should be set to 1

For the sake of resiliency and simplicity, it is recommended to make use of an external service, such as s3, gcs, azure or other compatible Object Storage.

middleware.storage

Configuration of middleware.storage follows upstream convention:

Configuration is fairly generic and follows similar pattern:

middleware:
  # See https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#middleware
  storage:
    - name: cloudfront
      options:
        baseurl: https://abcdefghijklmn.cloudfront.net/
        # `privatekey` is auto-populated with the content from the privatekey Secret.
        privatekeySecret:
          secret: cloudfront-secret-name
          # "key" value is going to be used to generate file name for PEM storage:
          #   /etc/docker/registry/middleware.storage/<index>/<key>
          key: private-key-ABC.pem
        keypairid: ABCEDFGHIJKLMNOPQRST

Within above code options.privatekeySecret is a generic Kubernetes secret contents of which corresponds to PEM file contents:

kubectl create secret generic cloudfront-secret-name --type=kubernetes.io/ssh-auth --from-file=private-key-ABC.pem=pk-ABCEDFGHIJKLMNOPQRST.pem

privatekey used upstream is being auto-populated by chart from the privatekey Secret and will be ignored if specified.

keypairid variants

Various vendors use different field names for the same construct:

debug

The debug port is enabled by default and is used for the liveness/readiness probe. Additionally, Prometheus metrics can be enabled via the metrics values.

debug:
  addr:
    port: 5001

metrics:
  enabled: true

health

The health property is optional, and contains preferences for a periodic health check on the storage driver’s backend storage. For more details, see Docker’s configuration documentation.

health:
  storagedriver:
    enabled: false
    interval: 10s
    threshold: 3

reporting

The reporting property is optional and enables reporting

reporting:
  sentry:
    enabled: true
    dsn: 'https://<key>@sentry.io/<project>'
    environment: 'production'

profiling

The profiling property is optional and enables continuous profiling

profiling:
  stackdriver:
    enabled: true
    credentials:
      secret: gitlab-registry-profiling-creds
      key: credentials
    service: gitlab-registry

database

The database property is optional and enables the metadata database.

database:
  enabled: true
  host: registry.db.example.com
  port: 5432
  user: registry
  password:
    secret: gitlab-postgresql-password
    key: postgresql-registry-password
  dbname: registry
  sslmode: verify-full
  ssl:
    secret: gitlab-registry-postgresql-ssl
    clientKey: client-key.pem
    clientCertificate: client-cert.pem
    serverCA: server-ca.pem
  connecttimeout: 5s
  draintimeout: 2m
  preparedstatements: false
  pool:
    maxidle: 25
    maxopen: 25
    maxlifetime: 5m
    maxidletime: 5m
  migrations:
    enabled: true
    activeDeadlineSeconds: 3600
    backoffLimit: 6
  discovery:
    enabled: true
    nameserver: 'nameserver.fqdn'
    port: 53
    primaryrecord: 'primary.record.fqdn.'
    tcp: false

Creating the database

If the Registry database is enabled, Registry will use its own database to track its state.

Follow the steps below to manually create the database and role.

1. Create the secret with the database password:

   kubectl create secret generic RELEASE_NAME-registry-database-password --from-literal=password=randomstring
   

2. Log into your database instance:

   kubectl exec -it $(kubectl get pods -l app=postgresql -o custom-columns=NAME:.metadata.name --no-headers) -- bash
   

   PGPASSWORD=$(cat $POSTGRES_POSTGRES_PASSWORD_FILE) psql -U postgres -d template1
   

3. Create the database user:

   CREATE ROLE registry WITH LOGIN;
   

4. Set the database user password.

   1. Fetch the password:

      kubectl get secret RELEASE_NAME-registry-database-password -o jsonpath="{.data.password}" | base64 --decode
      

   2. Set the password in the psql prompt:

      \password registry
      

5. Create the database:

   CREATE DATABASE registry WITH OWNER registry;
   

6. Safely exit from the PostgreSQL command line and then from the container using exit:

   template1=# exit
   ...@gitlab-postgresql-0/$ exit
   

gc

The gc property is optional and provides options related to online garbage collection.

gc:
  disabled: false
  maxbackoff: 24h
  noidlebackoff: false
  transactiontimeout: 10s
  reviewafter: 24h
  manifests:
    disabled: false
    interval: 5s
  blobs:
    disabled: false
    interval: 5s
    storagetimeout: 5s

Redis cache

The redis.cache property is optional and provides options related to the Redis cache. To use redis.cache with the registry, the metadata database must be enabled.

For example:

redis:
  cache:
    enabled: true
    host: localhost
    port: 16379
    password:
      secret: gitlab-redis-secret
      key: redis-password
    db: 0
    dialtimeout: 10ms
    readtimeout: 10ms
    writetimeout: 10ms
    tls:
      enabled: true
      insecure: true
    pool:
      size: 10
      maxlifetime: 1h
      idletimeout: 300s

Sentinels

The redis.cache can use the global.redis.sentinels configuration. Local values can be provided and will take precedence over the global values. For example:

redis:
  cache:
    enabled: true
    host: redis.example.com
    sentinels:
      - host: sentinel1.example.com
        port: 16379
      - host: sentinel2.example.com
        port: 16379

Garbage Collection

The Docker Registry will build up extraneous data over time which can be freed using garbage collection. As of now there is no fully automated or scheduled way to run the garbage collection with this Chart.

Manual Garbage Collection

Manual garbage collection requires the registry to be in read-only mode first. Let’s assume that you’ve already installed the GitLab chart by using Helm, named it mygitlab, and installed it in the namespace gitlabns. Replace these values in the commands below according to your actual configuration.

# Because of https://github.com/helm/helm/issues/2948 we can't rely on --reuse-values, so let's get our current config.
helm get values mygitlab > mygitlab.yml
# Upgrade Helm installation and configure the registry to be read-only.
# The --wait parameter makes Helm wait until all ressources are in ready state, so we are safe to continue.
helm upgrade mygitlab gitlab/gitlab -f mygitlab.yml --set registry.maintenance.readOnly.enabled=true --wait
# Our registry is in r/o mode now, so let's get the name of one of the registry Pods.
# Note down the Pod name and replace the '<registry-pod>' placeholder below with that value.
# Replace the single quotes to double quotes (' => ") if you are using this with Windows' cmd.exe.
kubectl get pods -n gitlabns -l app=registry -o jsonpath='{.items[0].metadata.name}'
# Run the actual garbage collection. Check the registry's manual if you really want the '-m' parameter.
kubectl exec -n gitlabns <registry-pod> -- /bin/registry garbage-collect -m /etc/docker/registry/config.yml
# Reset registry back to original state.
helm upgrade mygitlab gitlab/gitlab -f mygitlab.yml --wait
# All done :)

Running administrative commands against the Container Registry

The administrative commands can be run against the Container Registry only from a Registry pod, where both the registry binary as well as necessary configuration is available. Issue #2629 is open to discuss how to provide this functionality from the toolbox pod.

To run administrative commands:

1. Connect to a Registry pod:

   kubectl exec -it <registry-pod> -- bash
   

2. Once inside the Registry pod, the registry binary is available in PATH and can be used directly. The configuration file is available at /etc/docker/registry/config.yml. The following example checks the status of the database migration:

   registry database migrate status /etc/docker/registry/config.yml
   

For further details and other available commands, refer to the relevant documentation:

• General Registry documentation
• GitLab-specific Registry documentation