Merge branch 'bundle_registry' into 'master'
Bundle registry Fixes gitlab-org/omnibus-gitlab#1218 Depends on gitlab-org/gitlab-ce!3787 See merge request !764
This commit is contained in:
commit
f74472d45b
|
@ -33,6 +33,7 @@ dependency "libicu"
|
|||
dependency "postgresql"
|
||||
dependency "python-docutils"
|
||||
dependency "krb5"
|
||||
dependency "registry"
|
||||
|
||||
if EE
|
||||
dependency "mysql-client"
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
#
|
||||
## Copyright:: Copyright (c) 2016 GitLab Inc.
|
||||
## License:: Apache License, Version 2.0
|
||||
##
|
||||
## Licensed under the Apache License, Version 2.0 (the "License");
|
||||
## you may not use this file except in compliance with the License.
|
||||
## You may obtain a copy of the License at
|
||||
##
|
||||
## http://www.apache.org/licenses/LICENSE-2.0
|
||||
##
|
||||
## Unless required by applicable law or agreed to in writing, software
|
||||
## distributed under the License is distributed on an "AS IS" BASIS,
|
||||
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
## See the License for the specific language governing permissions and
|
||||
## limitations under the License.
|
||||
##
|
||||
#
|
||||
|
||||
name "registry"
|
||||
default_version "v2.4.0"
|
||||
|
||||
source :git => "https://github.com/docker/distribution.git"
|
||||
|
||||
relative_path "github.com/docker/distribution"
|
||||
|
||||
build do
|
||||
env = with_standard_compiler_flags(with_embedded_path)
|
||||
env = { 'GOPATH' => "#{Omnibus::Config.base_dir}"}
|
||||
cwd = "#{Omnibus::Config.source_dir}/github.com/docker/distribution"
|
||||
|
||||
command "go get github.com/tools/godep", env: env, cwd: cwd
|
||||
command "$GOPATH/bin/godep restore", env: env, cwd: cwd
|
||||
make "build PREFIX=#{install_dir}/embedded", env: env, cwd: cwd
|
||||
make "binaries PREFIX=#{install_dir}/embedded", env: env, cwd: cwd
|
||||
end
|
|
@ -44,7 +44,7 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
|
||||
# gitlab_rails['geo_bulk_notify_worker_cron'] = "*/10 * * * * *"
|
||||
# gitlab_rails['webhook_timeout'] = 10
|
||||
# gitlab_rails['trusted_proxies'] = []
|
||||
# gitlab_rails['trusted_proxies'] = []
|
||||
|
||||
## Reply by email
|
||||
# Allow users to comment on issues and merge requests by replying to notification emails.
|
||||
|
@ -309,6 +309,32 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
|
||||
# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
|
||||
|
||||
###############################
|
||||
# Container registry settings #
|
||||
###############################
|
||||
# see LINK
|
||||
#
|
||||
|
||||
# Settings used by GitLab application
|
||||
# gitlab_rails['registry_enabled'] = true
|
||||
# gitlab_rails['registry_host'] = "registry.gitlab.example.com"
|
||||
# gitlab_rails['registry_port'] = "7443"
|
||||
# gitlab_rails['registry_api_url'] = "http://localhost:5000"
|
||||
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
|
||||
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
|
||||
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
|
||||
|
||||
# Settings used by Registry application
|
||||
# registry['enable'] = true
|
||||
# registry['username'] = "registry"
|
||||
# registry['group'] = "registry"
|
||||
# registry['uid'] = nil
|
||||
# registry['gid'] = nil
|
||||
# registry['dir'] = "/var/opt/gitlab/registry"
|
||||
# registry['log_directory'] = "/var/log/gitlab/registry"
|
||||
# registry['log_level'] = "info"
|
||||
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
|
||||
|
||||
####################
|
||||
# GitLab Workhorse #
|
||||
####################
|
||||
|
@ -425,11 +451,13 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
# postgresql['shmmax'] = 17179869184 # or 4294967295
|
||||
# postgresql['shmall'] = 4194304 # or 1048575
|
||||
# postgresql['work_mem'] = "8MB"
|
||||
# postgresql['maintenance_work_mem'] = "16MB"
|
||||
# postgresql['effective_cache_size'] = "1MB"
|
||||
# postgresql['checkpoint_segments'] = 10
|
||||
# postgresql['checkpoint_timeout'] = "5min"
|
||||
# postgresql['checkpoint_completion_target'] = 0.9
|
||||
# postgresql['checkpoint_warning'] = "30s"
|
||||
# postgresql['wal_buffers'] = "-1"
|
||||
|
||||
## Replication settings
|
||||
# postgresql['sql_replication_user'] = "gitlab_replicator"
|
||||
|
|
|
@ -118,6 +118,13 @@ default['gitlab']['gitlab-rails']['pages_host'] = nil
|
|||
default['gitlab']['gitlab-rails']['pages_port'] = nil
|
||||
default['gitlab']['gitlab-rails']['pages_https'] = false
|
||||
default['gitlab']['gitlab-rails']['pages_path'] = nil
|
||||
default['gitlab']['gitlab-rails']['registry_enabled'] = false
|
||||
default['gitlab']['gitlab-rails']['registry_host'] = nil
|
||||
default['gitlab']['gitlab-rails']['registry_port'] = nil
|
||||
default['gitlab']['gitlab-rails']['registry_api_url'] = nil
|
||||
default['gitlab']['gitlab-rails']['registry_key_path'] = nil
|
||||
default['gitlab']['gitlab-rails']['registry_path'] = nil
|
||||
default['gitlab']['gitlab-rails']['registry_issuer'] = "omnibus-gitlab-issuer"
|
||||
|
||||
####
|
||||
# These LDAP settings are deprecated in favor of the new syntax. They are kept here for backwards compatibility.
|
||||
|
@ -333,12 +340,15 @@ else
|
|||
end
|
||||
|
||||
default['gitlab']['postgresql']['work_mem'] = "8MB"
|
||||
default['gitlab']['postgresql']['maintenance_work_mem'] = "16MB"
|
||||
default['gitlab']['postgresql']['effective_cache_size'] = "#{(node['memory']['total'].to_i / 2) / (1024)}MB"
|
||||
default['gitlab']['postgresql']['log_min_duration_statement'] = -1 # Disable slow query logging by default
|
||||
default['gitlab']['postgresql']['checkpoint_segments'] = 10
|
||||
default['gitlab']['postgresql']['checkpoint_timeout'] = "5min"
|
||||
default['gitlab']['postgresql']['checkpoint_completion_target'] = 0.9
|
||||
default['gitlab']['postgresql']['checkpoint_warning'] = "30s"
|
||||
default['gitlab']['postgresql']['wal_buffers'] = "-1"
|
||||
|
||||
# Replication settings
|
||||
default['gitlab']['postgresql']['sql_replication_user'] = "gitlab_replicator"
|
||||
default['gitlab']['postgresql']['wal_level'] = "minimal"
|
||||
|
@ -420,6 +430,21 @@ default['gitlab']['gitlab-pages']['use_http2'] = true
|
|||
default['gitlab']['gitlab-pages']['dir'] = "/var/opt/gitlab/gitlab-pages"
|
||||
default['gitlab']['gitlab-pages']['log_directory'] = "/var/log/gitlab/gitlab-pages"
|
||||
|
||||
####
|
||||
# Registry
|
||||
####
|
||||
default['gitlab']['registry']['enable'] = false
|
||||
default['gitlab']['registry']['username'] = "registry"
|
||||
default['gitlab']['registry']['group'] = "registry"
|
||||
default['gitlab']['registry']['uid'] = nil
|
||||
default['gitlab']['registry']['gid'] = nil
|
||||
default['gitlab']['registry']['dir'] = "/var/opt/gitlab/registry"
|
||||
default['gitlab']['registry']['log_directory'] = "/var/log/gitlab/registry"
|
||||
default['gitlab']['registry']['log_level'] = "info"
|
||||
default['gitlab']['registry']['rootcertbundle'] = nil
|
||||
|
||||
|
||||
|
||||
####
|
||||
# Nginx
|
||||
####
|
||||
|
@ -765,3 +790,9 @@ default['gitlab']['mattermost-nginx']['enable'] = false
|
|||
####
|
||||
default['gitlab']['pages-nginx'] = default['gitlab']['nginx'].dup
|
||||
default['gitlab']['pages-nginx']['enable'] = true
|
||||
|
||||
####
|
||||
# GitLab Registry NGINX
|
||||
####
|
||||
default['gitlab']['registry-nginx'] = default['gitlab']['nginx'].dup
|
||||
default['gitlab']['registry-nginx']['enable'] = true
|
||||
|
|
|
@ -78,6 +78,14 @@ class AccountHelper
|
|||
node['gitlab']['mattermost']['group']
|
||||
end
|
||||
|
||||
def registry_user
|
||||
node['gitlab']['registry']['username']
|
||||
end
|
||||
|
||||
def registry_group
|
||||
node['gitlab']['registry']['group']
|
||||
end
|
||||
|
||||
def users
|
||||
%W(
|
||||
#{gitlab_user}
|
||||
|
@ -87,6 +95,7 @@ class AccountHelper
|
|||
#{gitlab_ci_user}
|
||||
#{ci_redis_user}
|
||||
#{mattermost_user}
|
||||
#{registry_user}
|
||||
)
|
||||
end
|
||||
|
||||
|
@ -99,7 +108,7 @@ class AccountHelper
|
|||
#{gitlab_ci_group}
|
||||
#{ci_redis_group}
|
||||
#{mattermost_group}
|
||||
#{registry_group}
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -52,6 +52,7 @@ module Gitlab
|
|||
gitlab_workhorse Mash.new
|
||||
gitlab_git_http_server Mash.new # legacy from GitLab 7.14, 8.0, 8.1
|
||||
pages_nginx Mash.new
|
||||
registry_nginx Mash.new
|
||||
mailroom Mash.new
|
||||
nginx Mash.new
|
||||
ci_nginx Mash.new
|
||||
|
@ -63,11 +64,13 @@ module Gitlab
|
|||
web_server Mash.new
|
||||
mattermost Mash.new
|
||||
gitlab_pages Mash.new
|
||||
registry Mash.new
|
||||
node nil
|
||||
external_url nil
|
||||
pages_external_url nil
|
||||
ci_external_url nil
|
||||
mattermost_external_url nil
|
||||
registry_external_url nil
|
||||
git_data_dir nil
|
||||
|
||||
class << self
|
||||
|
@ -91,6 +94,11 @@ module Gitlab
|
|||
end
|
||||
Gitlab['gitlab_ci']['db_key_base'] ||= generate_hex(64)
|
||||
|
||||
Gitlab['registry']['http_secret'] ||= generate_hex(64)
|
||||
gitlab_registry_crt, gitlab_registry_key = generate_registry_keypair
|
||||
Gitlab['registry']['internal_certificate'] ||= gitlab_registry_crt
|
||||
Gitlab['registry']['internal_key'] ||= gitlab_registry_key
|
||||
|
||||
Gitlab['mattermost']['email_invite_salt'] ||= generate_hex(16)
|
||||
Gitlab['mattermost']['file_public_link_salt'] ||= generate_hex(16)
|
||||
Gitlab['mattermost']['email_password_reset_salt'] ||= generate_hex(16)
|
||||
|
@ -101,6 +109,22 @@ module Gitlab
|
|||
SecretsHelper.write_to_gitlab_secrets
|
||||
end
|
||||
|
||||
def generate_registry_keypair
|
||||
key = OpenSSL::PKey::RSA.new(4096)
|
||||
subject = "/C=USA/O=GitLab/OU=Container/CN=Registry"
|
||||
|
||||
cert = OpenSSL::X509::Certificate.new
|
||||
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
|
||||
cert.not_before = Time.now
|
||||
cert.not_after = Time.now + 18250 * 24 * 60 * 60
|
||||
cert.public_key = key.public_key
|
||||
cert.serial = 0x0
|
||||
cert.version = 2
|
||||
cert.sign key, OpenSSL::Digest::SHA256.new
|
||||
|
||||
[cert.to_pem, key.to_pem]
|
||||
end
|
||||
|
||||
def parse_gitlab_git_http_server
|
||||
Gitlab['gitlab_git_http_server'].each do |k, v|
|
||||
Chef::Log.warn "gitlab_git_http_server is deprecated. Please use gitlab_workhorse in gitlab.rb"
|
||||
|
@ -355,7 +379,7 @@ module Gitlab
|
|||
uri = URI(ci_external_url.to_s)
|
||||
|
||||
unless uri.host
|
||||
raise "GitLab CI external URL must must include a schema and FQDN, e.g. http://ci.example.com/"
|
||||
raise "GitLab CI external URL must include a schema and FQDN, e.g. http://ci.example.com/"
|
||||
end
|
||||
Gitlab['gitlab_ci']['gitlab_ci_host'] = uri.host
|
||||
Gitlab['gitlab_ci']['gitlab_ci_email_from'] ||= "gitlab-ci@#{uri.host}"
|
||||
|
@ -396,7 +420,7 @@ module Gitlab
|
|||
uri = URI(pages_external_url.to_s)
|
||||
|
||||
unless uri.host
|
||||
raise "GitLab Pages external URL must must include a schema and FQDN, e.g. http://pages.example.com/"
|
||||
raise "GitLab Pages external URL must include a schema and FQDN, e.g. http://pages.example.com/"
|
||||
end
|
||||
|
||||
Gitlab['gitlab_rails']['pages_host'] = uri.host
|
||||
|
@ -442,7 +466,7 @@ module Gitlab
|
|||
uri = URI(mattermost_external_url.to_s)
|
||||
|
||||
unless uri.host
|
||||
raise "GitLab Mattermost external URL must must include a schema and FQDN, e.g. http://mattermost.example.com/"
|
||||
raise "GitLab Mattermost external URL must include a schema and FQDN, e.g. http://mattermost.example.com/"
|
||||
end
|
||||
|
||||
Gitlab['mattermost']['host'] = uri.host
|
||||
|
@ -477,6 +501,70 @@ module Gitlab
|
|||
mailroom['enable'] = true if mailroom['enable'].nil?
|
||||
end
|
||||
|
||||
def parse_registry_external_url
|
||||
return if registry['enable'] == false
|
||||
|
||||
if registry_external_url
|
||||
uri = URI(registry_external_url.to_s)
|
||||
|
||||
unless uri.host
|
||||
raise "GitLab Container Registry external URL must include a schema and FQDN, e.g. https://registry.example.com/"
|
||||
end
|
||||
|
||||
listen_port = uri.port
|
||||
else
|
||||
gitlab_uri = URI(external_url.to_s)
|
||||
|
||||
if gitlab_uri.scheme == "https"
|
||||
uri = gitlab_uri
|
||||
listen_port = 5005
|
||||
|
||||
Gitlab['registry_nginx']['ssl_certificate'] ||= Gitlab['nginx']['ssl_certificate']
|
||||
Gitlab['registry_nginx']['ssl_certificate_key'] ||= Gitlab['nginx']['ssl_certificate_key']
|
||||
else
|
||||
# Registry needs to be on https
|
||||
# so disable the service and exit
|
||||
registry['enable'] = false
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
if registry['enable'].nil?
|
||||
registry['enable'] = true
|
||||
Gitlab['gitlab_rails']['registry_enabled'] = true
|
||||
end
|
||||
|
||||
Gitlab['registry']['registry_http_addr'] ||= "localhost:5000"
|
||||
Gitlab['registry']['registry_http_addr'].gsub(/^https?\:\/\/(www.)?/,'')
|
||||
Gitlab['gitlab_rails']['registry_api_url'] ||= "http://#{Gitlab['registry']['registry_http_addr']}"
|
||||
Gitlab['registry']['token_realm'] ||= external_url
|
||||
Gitlab['gitlab_rails']['registry_host'] = uri.host
|
||||
Gitlab['registry_nginx']['listen_port'] ||= Gitlab['gitlab_rails']['registry_port'] || listen_port
|
||||
|
||||
if uri.scheme == "https"
|
||||
Gitlab['registry_nginx']['https'] ||= true
|
||||
Gitlab['registry_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
|
||||
Gitlab['registry_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
|
||||
Gitlab['registry_nginx']['redirect_http_to_https'] = true
|
||||
else
|
||||
raise "Unsupported GitLab Registry external URL scheme: #{uri.scheme}"
|
||||
end
|
||||
|
||||
unless ["", "/"].include?(uri.path)
|
||||
raise "Unsupported GitLab Registry external URL path: #{uri.path}"
|
||||
end
|
||||
|
||||
unless [80, 443].include?(listen_port)
|
||||
Gitlab['gitlab_rails']['registry_port'] ||= listen_port
|
||||
end
|
||||
end
|
||||
|
||||
def parse_registry
|
||||
return unless registry['enable']
|
||||
|
||||
gitlab_rails['registry_path'] = "#{gitlab_rails['shared_path']}/registry" if gitlab_rails['registry_path'].nil?
|
||||
end
|
||||
|
||||
def disable_gitlab_rails_services
|
||||
if gitlab_rails["enable"] == false
|
||||
redis["enable"] = false
|
||||
|
@ -509,6 +597,7 @@ module Gitlab
|
|||
"ci_nginx",
|
||||
"mattermost_nginx",
|
||||
"pages_nginx",
|
||||
"registry_nginx",
|
||||
"logging",
|
||||
"remote_syslog",
|
||||
"logrotate",
|
||||
|
@ -520,7 +609,8 @@ module Gitlab
|
|||
"ci_external_url",
|
||||
"mattermost_external_url",
|
||||
"pages_external_url",
|
||||
"gitlab_pages"
|
||||
"gitlab_pages",
|
||||
"registry"
|
||||
].each do |key|
|
||||
rkey = key.gsub('_', '-')
|
||||
results['gitlab'][rkey] = Gitlab[key]
|
||||
|
@ -547,6 +637,7 @@ module Gitlab
|
|||
parse_ci_external_url
|
||||
parse_pages_external_url
|
||||
parse_mattermost_external_url
|
||||
parse_registry_external_url
|
||||
parse_unicorn_listen_address
|
||||
parse_nginx_listen_address
|
||||
parse_nginx_listen_ports
|
||||
|
@ -555,6 +646,7 @@ module Gitlab
|
|||
parse_gitlab_mattermost
|
||||
parse_incoming_email
|
||||
parse_gitlab_pages_daemon
|
||||
parse_registry
|
||||
disable_gitlab_rails_services
|
||||
# The last step is to convert underscores to hyphens in top-level keys
|
||||
generate_hash
|
||||
|
|
|
@ -264,6 +264,12 @@ class SecretsHelper
|
|||
'secret_key_base' => Gitlab['gitlab_ci']['secret_key_base'],
|
||||
'db_key_base' => Gitlab['gitlab_ci']['db_key_base'],
|
||||
},
|
||||
'registry' => {
|
||||
'http_secret' => Gitlab['registry']['http_secret'],
|
||||
'internal_certificate' => Gitlab['registry']['internal_certificate'],
|
||||
'internal_key' => Gitlab['registry']['internal_key']
|
||||
|
||||
},
|
||||
'mattermost' => {
|
||||
'email_invite_salt' => Gitlab['mattermost']['email_invite_salt'],
|
||||
'file_public_link_salt' => Gitlab['mattermost']['file_public_link_salt'],
|
||||
|
|
|
@ -62,6 +62,8 @@ template "#{install_dir}/embedded/etc/gitconfig" do
|
|||
variables gitconfig: node['gitlab']['omnibus-gitconfig']['system']
|
||||
end
|
||||
|
||||
# This recipe needs to run before gitlab-rails
|
||||
# because we add `gitlab-www` user to some groups created by that recipe
|
||||
include_recipe "gitlab::web-server"
|
||||
|
||||
if node['gitlab']['gitlab-rails']['enable']
|
||||
|
@ -104,7 +106,8 @@ include_recipe "runit"
|
|||
"logrotate",
|
||||
"bootstrap",
|
||||
"mattermost",
|
||||
"gitlab-pages"
|
||||
"gitlab-pages",
|
||||
"registry"
|
||||
].each do |service|
|
||||
if node["gitlab"][service]["enable"]
|
||||
include_recipe "gitlab::#{service}"
|
||||
|
|
|
@ -30,6 +30,9 @@ gitlab_ci_dir = node['gitlab']['gitlab-ci']['dir']
|
|||
gitlab_ci_builds_dir = node['gitlab']['gitlab-ci']['builds_directory']
|
||||
upgrade_status_dir = File.join(gitlab_rails_dir, "upgrade-status")
|
||||
|
||||
# Set path to the private key used for communication between registry and Gitlab.
|
||||
node.default['gitlab']['gitlab-rails']['registry_key_path'] = File.join(gitlab_rails_etc_dir, "gitlab-registry.key")
|
||||
|
||||
ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
|
||||
known_hosts = File.join(ssh_dir, "known_hosts")
|
||||
|
||||
|
|
|
@ -43,6 +43,7 @@ nginx_config = File.join(nginx_conf_dir, "nginx.conf")
|
|||
|
||||
gitlab_rails_http_conf = File.join(nginx_conf_dir, "gitlab-http.conf")
|
||||
gitlab_pages_http_conf = File.join(nginx_conf_dir, "gitlab-pages.conf")
|
||||
gitlab_registry_http_conf = File.join(nginx_conf_dir, "gitlab-registry.conf")
|
||||
gitlab_mattermost_http_conf = File.join(nginx_conf_dir, "gitlab-mattermost-http.conf")
|
||||
|
||||
# If the service is enabled, check if we are using internal nginx
|
||||
|
@ -64,6 +65,12 @@ gitlab_pages_enabled = if node['gitlab']['gitlab-rails']['pages_enabled']
|
|||
false
|
||||
end
|
||||
|
||||
gitlab_registry_enabled = if node['gitlab']['registry']['enable']
|
||||
node['gitlab']['registry-nginx']['enable']
|
||||
else
|
||||
false
|
||||
end
|
||||
|
||||
# Include the config file for gitlab-rails in nginx.conf later
|
||||
nginx_vars = node['gitlab']['nginx'].to_hash.merge({
|
||||
:gitlab_http_config => gitlab_rails_enabled ? gitlab_rails_http_conf : nil
|
||||
|
@ -79,6 +86,10 @@ nginx_vars = nginx_vars.to_hash.merge!({
|
|||
:gitlab_pages_http_config => gitlab_pages_enabled ? gitlab_pages_http_conf : nil
|
||||
})
|
||||
|
||||
nginx_vars = nginx_vars.to_hash.merge!({
|
||||
:gitlab_registry_http_config => gitlab_registry_enabled ? gitlab_registry_http_conf : nil
|
||||
})
|
||||
|
||||
if nginx_vars['listen_https'].nil?
|
||||
nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
|
||||
else
|
||||
|
@ -98,7 +109,8 @@ template gitlab_rails_http_conf do
|
|||
:kerberos_enabled => node['gitlab']['gitlab-rails']['kerberos_enabled'],
|
||||
:kerberos_use_dedicated_port => node['gitlab']['gitlab-rails']['kerberos_use_dedicated_port'],
|
||||
:kerberos_port => node['gitlab']['gitlab-rails']['kerberos_port'],
|
||||
:kerberos_https => node['gitlab']['gitlab-rails']['kerberos_https']
|
||||
:kerberos_https => node['gitlab']['gitlab-rails']['kerberos_https'],
|
||||
:registry_api_url => node['gitlab']['gitlab-rails']['registry_api_url']
|
||||
}
|
||||
))
|
||||
notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
|
||||
|
@ -128,6 +140,23 @@ template gitlab_pages_http_conf do
|
|||
action gitlab_pages_enabled ? :create : :delete
|
||||
end
|
||||
|
||||
registry_nginx_vars = node['gitlab']['registry-nginx'].to_hash
|
||||
template gitlab_registry_http_conf do
|
||||
source "nginx-gitlab-registry-http.conf.erb"
|
||||
owner "root"
|
||||
group "root"
|
||||
mode "0644"
|
||||
variables(registry_nginx_vars.merge(
|
||||
{
|
||||
registry_api_url: node['gitlab']['gitlab-rails']['registry_api_url'],
|
||||
registry_host: node['gitlab']['gitlab-rails']['registry_host'],
|
||||
registry_http_addr: node['gitlab']['registry']['registry_http_addr']
|
||||
}
|
||||
))
|
||||
notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
|
||||
action gitlab_registry_enabled ? :create : :delete
|
||||
end
|
||||
|
||||
mattermost_nginx_vars = node['gitlab']['mattermost-nginx'].to_hash
|
||||
|
||||
if mattermost_nginx_vars['listen_https'].nil?
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
#
|
||||
# Copyright:: Copyright (c) 2016 GitLab Inc.
|
||||
# License:: Apache License, Version 2.0
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
registry_uid = node['gitlab']['registry']['uid']
|
||||
registry_gid = node['gitlab']['registry']['gid']
|
||||
|
||||
working_dir = node['gitlab']['registry']['dir']
|
||||
log_directory = node['gitlab']['registry']['log_directory']
|
||||
|
||||
directory working_dir do
|
||||
recursive true
|
||||
end
|
||||
|
||||
account "Docker registry user and group" do
|
||||
username account_helper.registry_user
|
||||
uid registry_uid
|
||||
ugid account_helper.registry_group
|
||||
groupname account_helper.registry_group
|
||||
gid registry_gid
|
||||
shell '/bin/sh'
|
||||
home working_dir
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
|
||||
# Add registry user to web server group
|
||||
# To allow access to the registry directory located in shared
|
||||
if node['gitlab']['manage-accounts']['enable']
|
||||
group account_helper.web_server_group do
|
||||
append true
|
||||
members account_helper.registry_user
|
||||
end
|
||||
end
|
||||
|
||||
[
|
||||
working_dir,
|
||||
log_directory,
|
||||
].each do |dir|
|
||||
directory dir do
|
||||
owner account_helper.registry_user
|
||||
mode '0700'
|
||||
recursive true
|
||||
end
|
||||
end
|
||||
|
||||
directory node['gitlab']['gitlab-rails']['registry_path'] do
|
||||
owner account_helper.registry_user
|
||||
group account_helper.web_server_group
|
||||
mode '0750'
|
||||
recursive true
|
||||
only_if { node['gitlab']['manage-storage-directories']['enable'] }
|
||||
end
|
||||
|
||||
key_file_path = node['gitlab']['gitlab-rails']['registry_key_path']
|
||||
file key_file_path do
|
||||
content node['gitlab']['registry']['internal_key']
|
||||
owner account_helper.gitlab_user
|
||||
group account_helper.gitlab_group
|
||||
end
|
||||
|
||||
cert_file_path = File.join(working_dir, "gitlab-registry.crt")
|
||||
node.default['gitlab']['registry']['rootcertbundle'] = cert_file_path
|
||||
file cert_file_path do
|
||||
content node['gitlab']['registry']['internal_certificate']
|
||||
owner account_helper.registry_user
|
||||
group account_helper.registry_group
|
||||
end
|
||||
|
||||
template "#{working_dir}/config.yml" do
|
||||
source "registry-config.yml.erb"
|
||||
owner account_helper.registry_user
|
||||
variables node['gitlab']['registry'].to_hash.merge(node['gitlab']['gitlab-rails'].to_hash)
|
||||
mode "0644"
|
||||
notifies :restart, "service[registry]"
|
||||
end
|
||||
|
||||
runit_service 'registry' do
|
||||
options({
|
||||
:log_directory => log_directory
|
||||
}.merge(params))
|
||||
log_options node['gitlab']['logging'].to_hash.merge(node['gitlab']['registry'].to_hash)
|
||||
end
|
||||
|
||||
file File.join(working_dir, "VERSION") do
|
||||
content VersionHelper.version("/opt/gitlab/embedded/bin/registry --version")
|
||||
notifies :restart, "service[registry]"
|
||||
end
|
|
@ -0,0 +1,20 @@
|
|||
#
|
||||
# Copyright:: Copyright (c) 2016 GitLab Inc.
|
||||
# License:: Apache License, Version 2.0
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
runit_service "registry" do
|
||||
action :disable
|
||||
end
|
|
@ -18,12 +18,20 @@
|
|||
account_helper = AccountHelper.new(node)
|
||||
webserver_username = account_helper.web_server_user
|
||||
webserver_group = account_helper.web_server_group
|
||||
external_webserver_users = node['gitlab']['web-server']['external_users']
|
||||
external_webserver_users = node['gitlab']['web-server']['external_users'].to_a
|
||||
|
||||
# This recipe runs before registry recipe so we need to make sure that the
|
||||
# registry users is appended to the webserver group as registry requires access
|
||||
# to the gitlab-rails/shared folder.
|
||||
# Without this check the reconfigure run would fail on the first run and also
|
||||
# the group would end up being altered on every reconfigure run
|
||||
if node["gitlab"]["registry"]["enable"] && OmnibusHelper.user_exists?(account_helper.registry_user)
|
||||
external_webserver_users << account_helper.registry_user
|
||||
end
|
||||
|
||||
# Create the group for the GitLab user
|
||||
# If external webserver is used, add the external webserver user to
|
||||
# GitLab webserver group
|
||||
append_members = external_webserver_users.any? && !node['gitlab']['nginx']['enable']
|
||||
|
||||
account "Webserver user and group" do
|
||||
username webserver_username
|
||||
|
@ -33,7 +41,7 @@ account "Webserver user and group" do
|
|||
gid node['gitlab']['web-server']['gid']
|
||||
shell node['gitlab']['web-server']['shell']
|
||||
home node['gitlab']['web-server']['home']
|
||||
append_to_group append_members
|
||||
append_to_group external_webserver_users.any?
|
||||
group_members external_webserver_users
|
||||
user_supports manage_home: false
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
|
|
|
@ -124,6 +124,16 @@ production: &base
|
|||
# The location where LFS objects are stored (default: shared/lfs-objects).
|
||||
storage_path: <%= @lfs_storage_path %>
|
||||
|
||||
## Container Registry
|
||||
registry:
|
||||
enabled: <%= @registry_enabled %>
|
||||
host: <%= @registry_host %>
|
||||
port: <%= @registry_port %>
|
||||
api_url: <%= @registry_api_url %> # internal address to the registry, will be used by GitLab to directly communicate with API
|
||||
path: <%= @registry_path %>
|
||||
key: <%= @registry_key_path %>
|
||||
issuer: <%= @registry_issuer %>
|
||||
|
||||
## GitLab Pages (EE only)
|
||||
pages:
|
||||
enabled: <%= @pages_enabled %>
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
# This file is managed by gitlab-ctl. Manual changes will be
|
||||
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
|
||||
# and run `sudo gitlab-ctl reconfigure`.
|
||||
|
||||
## Lines starting with two hashes (##) are comments with information.
|
||||
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
|
||||
##
|
||||
###################################
|
||||
## configuration ##
|
||||
###################################
|
||||
|
||||
## Redirects all HTTP traffic to the HTTPS host
|
||||
server {
|
||||
<% @listen_addresses.each do |listen_address| %>
|
||||
listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
|
||||
<% end %>
|
||||
server_name <%= @registry_host %>;
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
return 301 https://$http_host:<%= @port %>$request_uri;
|
||||
access_log <%= @log_directory %>/gitlab_registry_access.log gitlab_access;
|
||||
error_log <%= @log_directory %>/gitlab_registry_error.log;
|
||||
}
|
||||
|
||||
server {
|
||||
<% @listen_addresses.each do |listen_address| %>
|
||||
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl http2<% end %>;
|
||||
<% end %>
|
||||
server_name <%= @registry_host %>;
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
|
||||
client_max_body_size 0;
|
||||
chunked_transfer_encoding on;
|
||||
|
||||
<% if @https %>
|
||||
## Strong SSL Security
|
||||
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
||||
ssl on;
|
||||
ssl_certificate <%= @ssl_certificate %>;
|
||||
ssl_certificate_key <%= @ssl_certificate_key %>;
|
||||
<% if @ssl_client_certificate %>
|
||||
ssl_client_certificate <%= @ssl_client_certificate%>;
|
||||
<% end %>
|
||||
|
||||
ssl_ciphers '<%= @ssl_ciphers %>';
|
||||
ssl_protocols <%= @ssl_protocols %>;
|
||||
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
|
||||
ssl_session_cache <%= @ssl_session_cache %>;
|
||||
ssl_session_timeout <%= @ssl_session_timeout %>;
|
||||
|
||||
<% if @ssl_dhparam %>
|
||||
ssl_dhparam <%= @ssl_dhparam %>;
|
||||
<% end %>
|
||||
<% end %>
|
||||
|
||||
access_log <%= @log_directory %>/gitlab_registry_access.log gitlab_access;
|
||||
error_log <%= @log_directory %>/gitlab_registry_error.log;
|
||||
|
||||
location / {
|
||||
proxy_set_header Host $http_host; # required for docker client's sake
|
||||
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 900;
|
||||
|
||||
proxy_pass http://<%= @registry_http_addr %>;
|
||||
}
|
||||
|
||||
<%= @custom_gitlab_server_config %>
|
||||
}
|
|
@ -51,5 +51,9 @@ http {
|
|||
include <%= @gitlab_mattermost_http_config %>;
|
||||
<% end %>
|
||||
|
||||
<% if @gitlab_registry_http_config %>
|
||||
include <%= @gitlab_registry_http_config %>;
|
||||
<% end %>
|
||||
|
||||
<%= @custom_nginx_config %>
|
||||
}
|
||||
|
|
|
@ -120,7 +120,7 @@ shared_buffers = <%= node['gitlab']['postgresql']['shared_buffers'] %> # min 128
|
|||
# It is not advisable to set max_prepared_transactions nonzero unless you
|
||||
# actively intend to use prepared transactions.
|
||||
work_mem = <%= node['gitlab']['postgresql']['work_mem'] %> # min 64kB
|
||||
#maintenance_work_mem = 16MB # min 1MB
|
||||
maintenance_work_mem = <%= node['gitlab']['postgresql']['maintenance_work_mem'] %> # 16MB # min 1MB
|
||||
#max_stack_depth = 2MB # min 100kB
|
||||
|
||||
# - Kernel Resource Usage -
|
||||
|
@ -166,7 +166,7 @@ wal_level = <%= node['gitlab']['postgresql']['wal_level'] %>
|
|||
# fsync_writethrough
|
||||
# open_sync
|
||||
#full_page_writes = on # recover from partial page writes
|
||||
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
|
||||
wal_buffers = <%= node['gitlab']['postgresql']['wal_buffers'] %> # -1 # min 32kB, -1 sets based on shared_buffers
|
||||
# (change requires restart)
|
||||
#wal_writer_delay = 200ms # 1-10000 milliseconds
|
||||
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
version: 0.1
|
||||
log:
|
||||
level: <%= @log_level %>
|
||||
fields:
|
||||
service: registry
|
||||
environment: production
|
||||
storage:
|
||||
cache:
|
||||
blobdescriptor: inmemory
|
||||
filesystem:
|
||||
rootdirectory: <%= @registry_path %>
|
||||
http:
|
||||
addr: <%= @registry_http_addr %>
|
||||
secret: "<%= @http_secret %>"
|
||||
headers:
|
||||
X-Content-Type-Options: [nosniff]
|
||||
health:
|
||||
storagedriver:
|
||||
enabled: true
|
||||
interval: 10s
|
||||
threshold: 3
|
||||
auth:
|
||||
token:
|
||||
realm: <%= @token_realm %>/jwt/auth
|
||||
service: container_registry
|
||||
issuer: <%= @registry_issuer %>
|
||||
rootcertbundle: <%= @rootcertbundle %>
|
|
@ -0,0 +1,6 @@
|
|||
<%= "s#@svlogd_size" if @svlogd_size %>
|
||||
<%= "n#@svlogd_num" if @svlogd_num %>
|
||||
<%= "t#@svlogd_timeout" if @svlogd_timeout %>
|
||||
<%= "!#@svlogd_filter" if @svlogd_filter %>
|
||||
<%= "u#@svlogd_udp" if @svlogd_udp %>
|
||||
<%= "p#@svlogd_prefix" if @svlogd_prefix %>
|
|
@ -0,0 +1,2 @@
|
|||
#!/bin/sh
|
||||
exec svlogd -tt <%= @options[:log_directory] %>
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
set -e # fail on errors
|
||||
|
||||
# Redirect stderr -> stdout
|
||||
exec 2>&1
|
||||
|
||||
cd <%= node['gitlab']['registry']['dir'] %>
|
||||
|
||||
exec chpst -P \
|
||||
-U <%= node['gitlab']['registry']['username'] %> \
|
||||
-u <%= node['gitlab']['registry']['group'] %> \
|
||||
/opt/gitlab/embedded/bin/registry serve ./config.yml
|
Loading…
Reference in New Issue