A complete gitlab/traefik config

shizonic · June 9, 2018, 10:33am

I am trying to run gitlab completely as a docker swarm stack (including docker registry and the possibility to clone repos via ssh). Since traefik does not support tcp streams I can’t use it for ssh. So I will have to define a route to tje container without traefik. The registry should run under a subdomain.

Please have a look at thid:
Domain: example.com
Gitlab: gitlab.example.com
Gitlab Docker registry: registry.example.com
Clone URL: ssh://[email protected]:2222/user/repo.git

Any suggestions how to configure this or is it even possible?

Thanks a lot for any approach.

funkypenguin · June 9, 2018, 11:03am

I think you’re good on the gitlab/registry container idea - I agree that you can’t use traefik for SSH, but it shouldn’t matter, since swarm routing mesh will deliver any inbound TCP 2222 on any node, to the correct gitlab container.

D

(Have you looked at GitLab |・∀・ ?)

shizonic · June 9, 2018, 1:45pm

Thank you for your quick reply. Unfortunately I couldn’t get sameersbn/gitlab working because of database errors. That’s why I tried the official gitlab image.

This is my current stack config:

version: '3.3'

networks:
  net:
    driver: overlay
  proxy:
    external:
      name: proxy_net

volumes:
  gitlab-conf:
  gitlab-logs:
  gitlab-data:

services:
  app:
    image: gitlab/gitlab-ce:latest
    hostname: '${GITLAB_HOST}'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url = '${GITLAB_URL}'
        nginx['listen_port'] = '80'
        nginx['listen_https'] = false
        registry_external_url = '${REGISTRY_URL}:4567'
        registry_nginx['listen_port'] = '4567'
        registry_nginx['listen_https'] = false
        gitlab_rails['gitlab_shell_ssh_port'] = 2222
        gitlab_rails['registry_enabled'] = true
    ports:
      - '2222:22'
      - '4567:4567'
    volumes:
      - gitlab-conf:/etc/gitlab
      - gitlab-logs:/var/log/gitlab
      - gitlab-data:/var/opt/gitlab
    networks:
      - net
      - proxy
    deploy:
      labels:
        - traefik.enable=true
        - traefik.port=80
        - traefik.backend=${GITLAB_HOST}
        - traefik.frontend.rule=Host:${GITLAB_HOST}
        - traefik.docker.network=proxy_net
        # - traefik.web.port=80
        # - traefik.web.backend=${GITLAB_HOST}
        # - traefik.web.frontend.rule=Host:${GITLAB_HOST}
        # - traefik.web.docker.network=proxy_net
        # - traefik.registry.port=4567
        # - traefik.registry.backend=${GITLAB_HOST}
        # - traefik.registry.frontend.rule=Host:${REGISTRY_HOST}
        # - traefik.registry.docker.network=proxy_net
      placement:
        constraints: [node.role == manager]

Any idea?

funkypenguin · June 11, 2018, 10:22am

Probably not the feedback you were hoping for, I really like what you’ve done with the environment variables! I’ll try and replicate what you’ve got above and refresh the recipe - maybe the sameersbn install is not the best choice anymore anyway. I’ve created an issue to track this, and will test it out over the next day or two

shizonic · June 11, 2018, 10:43am

Thank you very much for your effort. I really appreciate it.

If you refresh the recipe anyway you should have a look at this compose file which I really like and try to adapt some parts:

https://github.com/ambroisemaupate/docker-server-env/blob/master/compose/example-gitlab/docker-compose.yml

What I don’t like of it is that it makes use of a second service as container registry. I think this makes no sense because gitlab provides the container registry already. Another thing what I realised is the fact that if I edit the gitlab.rb file itself and don’t use omnibus, then my stack file works! Maybe omnibus does not work properly…

funkypenguin · June 14, 2018, 9:19am

BTW, I got the original recipe (finger lickin’ good!) working with the addition of some environment variables. I couldn’t bring myself to try the omnibus solution, because I really like the separation of the various components (postgres, redis, etc) in the sameersbn/gitlab container design

shizonic · June 14, 2018, 5:46pm

I agree. Docker is mae for isolated singli purpose services. So the first thing is to separate any stack into pieces. I prefere this too. But on the other hand I like to run official images… As you can see GitLab gets me in trouble. However, in the meanwhile I got my (official) GitLab running too (Including SSL encrypted container registry, working shared runners and working git connection over ssh - Everything behind traefik. If you are interested let me know.

funkypenguin · June 18, 2018, 9:03pm

Yes, let me know, can always have 2 gitlab recipies

HDebeuf · January 3, 2019, 9:26am

Here is my stack config if I may share
Hopefully, it helps.

version: '3.3'
networks:
  proxy:
    external: true
services:
  gitlab:
    image: gitlab/gitlab-ce:latest
    restart: always
    container_name: gitlab
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.domain.com'
        registry_external_url 'https://registry.domain.com'
        nginx['listen_port'] = '80'
        nginx['listen_https'] = false
        registry_nginx['listen_port'] = '80'
        registry_nginx['listen_https'] = false
        gitlab_rails['registry_enabled'] = true
        gitlab_rails['gitlab_shell_ssh_port'] = 2222
    ports:
      - '2222:22'
    volumes:
      - /persist/gitlab/config:/etc/gitlab
      - /persist/gitlab/logs:/var/log/gitlab
      - /persist/gitlab/data:/var/opt/gitlab
    networks:
      - proxy
    labels:
      - traefik.docker.network=proxy
      - traefik.ci.frontend.rule=Host:gitlab.domain.com
      - traefik.ci.port=80
      - traefik.ci.frontend.entryPoints=http,https
      - traefik.reg.frontend.rule=Host:registry.domain.com
      - traefik.reg.port=80
      - traefik.reg.frontend.entryPoints=http,https

funkypenguin · January 3, 2019, 6:11pm

Nice one, thank you!

ambroisemaupate · March 30, 2019, 1:58pm

Hi!

I saw that you were trying to use my code snippet for Gitlab + Registry with Træfik.

I’ve just updated it by creating a dedicated version for Træfik using only one omnibus container and exposing all 3 services with docker labels: docker-server-env/docker-compose.yml at master · ambroisemaupate/docker-server-env · GitHub.

Previous example was using separate services for Registry and Mattermost because we were using jwilder/nginx-proxy as Docker front proxy and it was not able to expose the same port twice for a single service (80 → gitlab and 80 → registry).

We still experience some issues with Mattermost, when requesting SSO access token. Feel free to pull request me if you have some suggestions or improvements.

funkypenguin · April 22, 2019, 9:44pm

That’s so much better than my recipe! Thank you, I’ve issued my self an issue to update accordingly: Update gitlab recipe to ambroisemaupate version · Issue #47 · geek-cookbook/geek-cookbook · GitHub

luizjr · May 17, 2020, 10:10pm

Thanks, this worked for me.