this is the solution.. posted the question on stackoverflow
I was able to solve the problem creating a certificate in docker host as reported here:
mkdir certscd certs# Generate a random password password_file used in the next commandsopenssl rand -hex -out password_file 32# Create a PKCS#10 certificate requestopenssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr# Convert RSA keyopenssl rsa -passin file:password_file -in privkey.pem -out registry.key# Generate certificateopenssl x509 -in registry.csr -out registry.crt -req -signkey registry.key -days 10000
then assigned the certs
folder to the two (gitlab and registry) containers.
this certificate configuration allow gitlab and gitlab registry to sort of auto-login and talk to each other.
the docker-compose.yml
file will finally look like this:
version: '3.6'services: web: image: 'gitlab/gitlab-ee:latest' container_name: gitlab-ee restart: always hostname: 'gitlab.example.com' environment: GITLAB_OMNIBUS_CONFIG: | external_url 'https://gitlab.example.org' nginx['listen_port'] = 80 nginx['listen_https'] = false gitlab_rails['gitlab_shell_ssh_port'] = 222 gitlab_rails['registry_enabled'] = true; gitlab_rails['registry_api_url'] = 'http://<docker-host-ip>:5001' gitlab_rails['registry_key_path'] = '/certs/registry.key' registry_external_url 'https://gitlab-reg.example.com' registry_nginx['listen_port'] = 5001 registry_nginx['listen_https'] = false registry_nginx['proxy_set_headers'] = {"X-Forwarded_Proto" => "https","X-Forwarded_Ssl" => "on" } ports: - '8081:80' - '222:22' volumes: - '$GITLAB_HOME/config:/etc/gitlab' - '$GITLAB_HOME/logs:/var/log/gitlab' - '$GITLAB_HOME/data:/var/opt/gitlab' - './certs:/certs' shm_size: '256m' registry: image: registry container_name: registry restart: always ports: - '5001:5000' volumes: - '$GITLAB_REG/registry:/var/lib/registry' - './certs:/certs'# environment:# - REGISTRY_AUTH_TOKEN_REALM=https://gl.aitribe.it/jwt/auth# - REGISTRY_AUTH_TOKEN_SERVICE=container_registry# - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer# - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt gitlab-runner: image: gitlab/gitlab-runner:latest container_name: gitlab-runner restart: always volumes: - /srv/gitlab-runner/config:/etc/gitlab-runner - /var/run/docker.sock:/var/run/docker.sock
SO MANY NOTES to use this docker-compose.yml
file:
- gitlab and gitlab registry are on different subdomains (that is not given for grant) and are behind a reverse proxy with ssl termination on the proxy (thats the reason why headers need to be set)
- the default registry_api_url (GITLAB_REGISTRY_API_URL in the link above where configuration doesn't involve OMNIBUS) point by default to 127.0.0.1:5000: this will obviously never work on a docker gitlab installation: for this reason it must be set to the docker host ip, specifying the port;
- for some reason I'm still trying to catch (I read it somewhere trying to find the solution bud didnt give it that much care) the container needs to be set NOT ON PORT 5000
- if u set the env variables as suggested in the docs reported above (commented out in the yml file above), u wont be able to login to the registry via user and password anymore and u will need to generate a token in gitlab