Add Gitlab Container Registry

.dockerignore

@@ -6,3 +6,4 @@ README.md
 Changelog.md
 Makefile
 docker-compose.yml
+docs

README.md

@@ -61,6 +61,8 @@
     - [Import Repositories](#import-repositories)
     - [Upgrading](#upgrading)
     - [Shell Access](#shell-access)
+- [Features](#features)
+ - [Container Registry](docs/container_registry.md)
 - [References](#references)
 
 # Introduction
@@ -792,13 +794,14 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_INCOMING_EMAIL_ENABLED**: Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`.
 - **GITLAB_SIGNUP_ENABLED**: Enable or disable user signups (first run only). Default is `true`.
 - **GITLAB_PROJECTS_LIMIT**: Set default projects limit. Defaults to `100`.
-- **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults is `true`.
-- **GITLAB_CREATE_GROUP**: Enable or disable ability for users to create groups. Defaults is `true`.
-- **GITLAB_PROJECTS_ISSUES**: Set if *issues* feature should be enabled by default for new projects. Defaults is `true`.
-- **GITLAB_PROJECTS_MERGE_REQUESTS**: Set if *merge requests* feature should be enabled by default for new projects. Defaults is `true`.
-- **GITLAB_PROJECTS_WIKI**: Set if *wiki* feature should be enabled by default for new projects. Defaults is `true`.
-- **GITLAB_PROJECTS_SNIPPETS**: Set if *snippets* feature should be enabled by default for new projects. Defaults is `false`.
-- **GITLAB_PROJECTS_BUILDS**: Set if *builds* feature should be enabled by default for new projects. Defaults is `true`.
+- **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults to `true`.
+- **GITLAB_CREATE_GROUP**: Enable or disable ability for users to create groups. Defaults to `true`.
+- **GITLAB_PROJECTS_ISSUES**: Set if *issues* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_MERGE_REQUESTS**: Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_WIKI**: Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_SNIPPETS**: Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`.
+- **GITLAB_PROJECTS_BUILDS**: Set if *builds* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_CONTAINER_REGISTRY**: Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`.
 - **GITLAB_WEBHOOK_TIMEOUT**: Sets the timeout for webhooks. Defaults to `10` seconds.
 - **GITLAB_TIMEOUT**: Sets the timeout for git commands. Defaults to `10` seconds.
 - **GITLAB_MAX_OBJECT_SIZE**: Maximum size (in bytes) of a git object (eg. a commit) in bytes. Defaults to `20971520`, i.e. `20` megabytes.
@@ -823,13 +826,22 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_SSH_PORT**: The ssh port number. Defaults to `22`.
 - **GITLAB_RELATIVE_URL_ROOT**: The relative url of the GitLab server, e.g. `/git`. No default.
 - **GITLAB_TRUSTED_PROXIES**: Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults.
+- **GITLAB_REGISTRY_ENABLED**: Enables the GitLab Container Registry. Defaults to `false`.
+- **GITLAB_REGISTRY_HOST**: Sets the Gitlab Registry Host. Defaults to `registry.example.com`
+- **GITLAB_REGISTRY_PORT**: Sets the GitLab Registry Port. Defaults to `443`.
+- **GITLAB_REGISTRY_API_URL**: Sets the Gitlab Registry API URL. Defaults to `http://localhost:5000`
+- **GITLAB_REGISTRY_KEY_PATH**: Sets the GitLab Registry Key Path. Defaults to `config/registry.key`
+- **GITLAB_REGISTRY_DIR**: Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry`
+- **GITLAB_REGISTRY_ISSUER**: Sets the Gitlab Registry Issuer. Defaults to `gitlab-issuer`.
 - **GITLAB_HTTPS**: Set to `true` to enable https support, disabled by default.
 - **SSL_SELF_SIGNED**: Set to `true` when using self signed ssl certificates. `false` by default.
 - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt`
 - **SSL_KEY_PATH**: Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key`
 - **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem`
 - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file. Defaults to `false`
 - **SSL_CA_CERTIFICATES_PATH**: List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`.
+- **SSL_REGISTRY_KEY_PATH**: Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key`
+- **SSL_REGISTRY_CERT_PATH**: Location of the ssl certificate for the gitlab container registy. Defaults to `/home/git/data/certs/registry.crt`
 - **NGINX_WORKERS**: The number of nginx workers to start. Defaults to `1`.
 - **NGINX_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario.
 - **NGINX_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.

assets/runtime/config/gitlabhq/gitlab.yml

@@ -99,7 +99,7 @@ production: &base
       wiki: {{GITLAB_PROJECTS_WIKI}}
       snippets: {{GITLAB_PROJECTS_SNIPPETS}}
       builds: {{GITLAB_PROJECTS_BUILDS}}
-      container_registry: true
+      container_registry: {{GITLAB_PROJECTS_CONTAINER_REGISTRY}}
 
     ## Webhook settings
     # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
@@ -179,13 +179,13 @@ production: &base
       cron: "0 * * * *"
 
   registry:
-    # enabled: true
-    # host: registry.example.com
-    # port: 5005
-    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
-    # key_path: config/registry.key
-    # path: shared/registry
-    # issuer: gitlab-issuer
+    enabled: {{GITLAB_REGISTRY_ENABLED}}    # Enables GitLab Container Registry Defaults to `true`
+    host: {{GITLAB_REGISTRY_HOST}}          # registry.example.com
+    port: {{GITLAB_REGISTRY_PORT}}          # 5005
+    api_url: {{GITLAB_REGISTRY_API_URL}}    # http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
+    key: {{GITLAB_REGISTRY_KEY_PATH}}       # config/registry.key
+    path: {{GITLAB_REGISTRY_DIR}}
+    issuer: {{GITLAB_REGISTRY_ISSUER}}      # gitlab-issuer
 
   #
   # 2. GitLab CI settings
@@ -393,7 +393,7 @@ production: &base
                   idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}',
                   idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}',
                   issuer: '{{OAUTH_SAML_ISSUER}}',
-                  attribute_statements: { 
+                  attribute_statements: {
                     first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'],
                     last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'],
                     name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'],

assets/runtime/config/nginx/gitlab-registry

@@ -0,0 +1,53 @@
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+###################################
+##         configuration         ##
+###################################
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+  listen *:80;
+  server_name  {{GITLAB_REGISTRY_HOST}};
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  return 301 https://$http_host:$request_uri;
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;
+}
+
+server {
+  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
+  # it should be declared here as well
+  listen *:{{NGINX_REGISTRY_PROXY_PORT}} ssl http2;
+  server_name {{GITLAB_REGISTRY_HOST}};
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate {{SSL_REGISTRY_CERT_PATH}};
+  ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}};
+
+  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache  builtin:1000  shared:SSL:10m;
+  ssl_session_timeout  5m;
+
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;
+
+  location / {
+    proxy_set_header  Host              $http_host;   # required for docker client's sake
+    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_read_timeout                  900;
+
+    proxy_pass {{GITLAB_REGISTRY_API_URL}};
+  }
+
+}

assets/runtime/env-defaults

@@ -72,6 +72,7 @@ GITLAB_PROJECTS_MERGE_REQUESTS=${GITLAB_PROJECTS_MERGE_REQUESTS:-true}
 GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true}
 GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-false}
 GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true}
+GITLAB_PROJECTS_CONTAINER_REGISTRY=${GITLAB_PROJECTS_CONTAINER_REGISTRY:-true}
 GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-}
 GITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-}
 if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/`
@@ -110,13 +111,29 @@ GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}
 
 GITLAB_ROBOTS_PATH=${GITLAB_ROBOTS_PATH:-${USERCONF_TEMPLATES_DIR}/gitlabhq/robots.txt}
 
+## REGISTRY
+GITLAB_REGISTRY_ENABLED=${GITLAB_REGISTRY_ENABLED:-false}
+GITLAB_REGISTRY_DIR="${GITLAB_REGISTRY_DIR:-$GITLAB_SHARED_DIR/registry}"
+GITLAB_REGISTRY_HOST=${GITLAB_REGISTRY_HOST:-registry.example.com}
+GITLAB_REGISTRY_PORT=${GITLAB_REGISTRY_PORT:-443}
+GITLAB_REGISTRY_API_URL=${GITLAB_REGISTRY_API_URL:-http://localhost:5000/}
+GITLAB_REGISTRY_KEY_PATH=${GITLAB_REGISTRY_KEY_PATH:-config/registry.key}
+GITLAB_REGISTRY_ISSUER=${GITLAB_REGISTRY_ISSUER:-gitlab-issuer}
+#Sets the nginx restistry port
+if [[ -z $GITLAB_REGISTRY_PORT ]]; then
+  NGINX_REGISTRY_PROXY_PORT=443
+fi
+
 ## SSL
 SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false}
 SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-$GITLAB_DATA_DIR/certs/gitlab.crt}
 SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key}
 SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem}
 SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
 
+SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key}
+SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt}
+
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt}
 
@@ -149,6 +166,8 @@ case ${GITLAB_HTTPS} in
   *)    NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;;
 esac
 
+NGINX_REGISTRY_PROXY_PORT=${NGINX_REGISTRY_PROXY_PORT:-$GITLAB_REGISTRY_PORT}
+
 ## MAIL DELIVERY
 SMTP_DOMAIN=${SMTP_DOMAIN:-www.gmail.com}
 SMTP_HOST=${SMTP_HOST:-smtp.gmail.com}

assets/runtime/functions

@@ -17,6 +17,7 @@ GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt"
 GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml"
 GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab"
 GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci"
+GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry"
 
 # Compares two version strings `a` and `b`
 # Returns
@@ -810,9 +811,34 @@ gitlab_configure_project_features() {
     GITLAB_PROJECTS_WIKI \
     GITLAB_PROJECTS_SNIPPETS \
     GITLAB_PROJECTS_BUILDS \
+    GITLAB_PROJECTS_CONTAINER_REGISTRY \
     GITLAB_WEBHOOK_TIMEOUT
 }
 
+gitlab_configure_registry(){
+  echo "Configuring gitlab::registry..."
+  if [[ $GITLAB_REGISTRY_PORT != 443 ]]; then
+    update_template ${GITLAB_CONFIG} \
+      GITLAB_REGISTRY_ENABLED \
+      GITLAB_REGISTRY_DIR \
+      GITLAB_REGISTRY_HOST \
+      GITLAB_REGISTRY_PORT \
+      GITLAB_REGISTRY_API_URL \
+      GITLAB_REGISTRY_KEY_PATH \
+      GITLAB_REGISTRY_ISSUER
+  else
+    GITLAB_REGISTRY_PORT="" # Sets Registry Port to empty to set the key empty in the  .gitlab-ci.yml
+    update_template ${GITLAB_CONFIG} \
+      GITLAB_REGISTRY_ENABLED \
+      GITLAB_REGISTRY_DIR \
+      GITLAB_REGISTRY_HOST \
+      GITLAB_REGISTRY_PORT \
+      GITLAB_REGISTRY_API_URL \
+      GITLAB_REGISTRY_KEY_PATH \
+      GITLAB_REGISTRY_ISSUER
+  fi
+}
+
 nginx_configure_gitlab_ssl() {
   if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
     echo "Configuring nginx::gitlab::ssl..."
@@ -879,6 +905,20 @@ nginx_configure_gitlab_ci() {
   fi
 }
 
+nginx_configure_gitlab_registry() {
+  if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
+    echo "Configuring nginx::gitlab-registry..."
+    update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \
+      GITLAB_LOG_DIR \
+      NGINX_REGISTRY_PROXY_PORT \
+      GITLAB_REGISTRY_HOST \
+      GITLAB_REGISTRY_API_URL \
+      SSL_REGISTRY_KEY_PATH \
+      SSL_REGISTRY_CERT_PATH
+  fi
+}
+
+
 #   _|_|_|              _|        _|  _|
 #   _|    _|  _|    _|  _|_|_|    _|        _|_|_|
 #   _|_|_|    _|    _|  _|    _|  _|  _|  _|
@@ -961,6 +1001,7 @@ initialize_datadir() {
   chmod u+rwX ${GITLAB_SHARED_DIR}
   chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
 
+  # create attifacts dir
   mkdir -p ${GITLAB_ARTIFACTS_DIR}
   chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
   chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
@@ -974,6 +1015,13 @@ initialize_datadir() {
   chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR}
   chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
 
+  # create registry dir
+  if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
+    mkdir -p ${GITLAB_REGISTRY_DIR}
+    chmod u+rwX ${GITLAB_REGISTRY_DIR}
+    chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
+  fi
+
   # create the backups directory
   mkdir -p ${GITLAB_BACKUP_DIR}
   chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR}
@@ -1035,6 +1083,11 @@ sanitize_datadir() {
   chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}
   chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
 
+  if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
+    chmod -R u+rwX ${GITLAB_REGISTRY_DIR}
+    chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
+  fi
+
   find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \;
   find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \;
   chmod 0700 ${GITLAB_DATA_DIR}/uploads/
@@ -1115,6 +1168,15 @@ install_configuration_templates() {
   if [[ -n $GITLAB_CI_HOST ]]; then
     install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}
   fi
+
+  if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
+    if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
+      install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG}
+    else
+      echo "SSL key and certificates for Registry were not found"
+      echo "Assuming that the Registry is running behind an enabled load balancer"
+    fi
+  fi
 }
 
 configure_gitlab() {
@@ -1160,6 +1222,7 @@ configure_gitlab() {
   gitlab_configure_gravatar
   gitlab_configure_analytics
   gitlab_configure_backups
+  gitlab_configure_registry
 
   # remove stale gitlab.socket
   rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
@@ -1186,6 +1249,7 @@ configure_nginx() {
   sed -i "s|worker_processes .*|worker_processes ${NGINX_WORKERS};|" /etc/nginx/nginx.conf
   nginx_configure_gitlab
   nginx_configure_gitlab_ci
+  nginx_configure_gitlab_registry
 }
 
 migrate_database() {