A complete gitlab/traefik config


#1

I am trying to run gitlab completely as a docker swarm stack (including docker registry and the possibility to clone repos via ssh). Since traefik does not support tcp streams I can’t use it for ssh. So I will have to define a route to tje container without traefik. The registry should run under a subdomain.

Please have a look at thid:
Domain: example.com
Gitlab: gitlab.example.com
Gitlab Docker registry: registry.example.com
Clone URL: ssh://git@gitlab.example.com:2222/user/repo.git

Any suggestions how to configure this or is it even possible?

Thanks a lot for any approach.


#2

I think you’re good on the gitlab/registry container idea - I agree that you can’t use traefik for SSH, but it shouldn’t matter, since swarm routing mesh will deliver any inbound TCP 2222 on any node, to the correct gitlab container.

D

(Have you looked at https://geek-cookbook.funkypenguin.co.nz/recipies/gitlab/ ?)


#3

Thank you for your quick reply. Unfortunately I couldn’t get sameersbn/gitlab working because of database errors. That’s why I tried the official gitlab image.

This is my current stack config:

version: '3.3'

networks:
  net:
    driver: overlay
  proxy:
    external:
      name: proxy_net

volumes:
  gitlab-conf:
  gitlab-logs:
  gitlab-data:

services:
  app:
    image: gitlab/gitlab-ce:latest
    hostname: '${GITLAB_HOST}'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url = '${GITLAB_URL}'
        nginx['listen_port'] = '80'
        nginx['listen_https'] = false
        registry_external_url = '${REGISTRY_URL}:4567'
        registry_nginx['listen_port'] = '4567'
        registry_nginx['listen_https'] = false
        gitlab_rails['gitlab_shell_ssh_port'] = 2222
        gitlab_rails['registry_enabled'] = true
    ports:
      - '2222:22'
      - '4567:4567'
    volumes:
      - gitlab-conf:/etc/gitlab
      - gitlab-logs:/var/log/gitlab
      - gitlab-data:/var/opt/gitlab
    networks:
      - net
      - proxy
    deploy:
      labels:
        - traefik.enable=true
        - traefik.port=80
        - traefik.backend=${GITLAB_HOST}
        - traefik.frontend.rule=Host:${GITLAB_HOST}
        - traefik.docker.network=proxy_net
        # - traefik.web.port=80
        # - traefik.web.backend=${GITLAB_HOST}
        # - traefik.web.frontend.rule=Host:${GITLAB_HOST}
        # - traefik.web.docker.network=proxy_net
        # - traefik.registry.port=4567
        # - traefik.registry.backend=${GITLAB_HOST}
        # - traefik.registry.frontend.rule=Host:${REGISTRY_HOST}
        # - traefik.registry.docker.network=proxy_net
      placement:
        constraints: [node.role == manager]

Any idea?


#4

Probably not the feedback you were hoping for, I really like what you’ve done with the environment variables! I’ll try and replicate what you’ve got above and refresh the recipe - maybe the sameersbn install is not the best choice anymore anyway. I’ve created an issue to track this, and will test it out over the next day or two :slight_smile:


#5

Thank you very much for your effort. I really appreciate it.

If you refresh the recipe anyway you should have a look at this compose file which I really like and try to adapt some parts:

What I don’t like of it is that it makes use of a second service as container registry. I think this makes no sense because gitlab provides the container registry already. Another thing what I realised is the fact that if I edit the gitlab.rb file itself and don’t use omnibus, then my stack file works! Maybe omnibus does not work properly…


#6

BTW, I got the original recipe (finger lickin’ good!) working with the addition of some environment variables. I couldn’t bring myself to try the omnibus solution, because I really like the separation of the various components (postgres, redis, etc) in the sameersbn/gitlab container design :slight_smile:


#7

I agree. Docker is mae for isolated singli purpose services. So the first thing is to separate any stack into pieces. :slight_smile: I prefere this too. But on the other hand I like to run official images… As you can see GitLab gets me in trouble. :wink: However, in the meanwhile I got my (official) GitLab running too (Including SSL encrypted container registry, working shared runners and working git connection over ssh - Everything behind traefik. :slight_smile: If you are interested let me know.


#8

Yes, let me know, can always have 2 gitlab recipies :wink:


#9

Here is my stack config if I may share :slight_smile:
Hopefully, it helps.

version: '3.3'
networks:
  proxy:
    external: true
services:
  gitlab:
    image: gitlab/gitlab-ce:latest
    restart: always
    container_name: gitlab
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.domain.com'
        registry_external_url 'https://registry.domain.com'
        nginx['listen_port'] = '80'
        nginx['listen_https'] = false
        registry_nginx['listen_port'] = '80'
        registry_nginx['listen_https'] = false
        gitlab_rails['registry_enabled'] = true
        gitlab_rails['gitlab_shell_ssh_port'] = 2222
    ports:
      - '2222:22'
    volumes:
      - /persist/gitlab/config:/etc/gitlab
      - /persist/gitlab/logs:/var/log/gitlab
      - /persist/gitlab/data:/var/opt/gitlab
    networks:
      - proxy
    labels:
      - traefik.docker.network=proxy
      - traefik.ci.frontend.rule=Host:gitlab.domain.com
      - traefik.ci.port=80
      - traefik.ci.frontend.entryPoints=http,https
      - traefik.reg.frontend.rule=Host:registry.domain.com
      - traefik.reg.port=80
      - traefik.reg.frontend.entryPoints=http,https

#10

Nice one, thank you! :slight_smile: