Connecting Gitlab with Harbor for automated token issuing

Gitlab CI have a nice feature to generate docker-registry tokens per each job, but this feature is working only for it’s own docker registry and does not working with an external ones, eg. Harbor, Nexus, Quay and etc.

There is an opportunity to set-up external docker registry for Gitlab, it is well described in the documentation Use an external container registry with GitLab as an auth endpoint.

Proposed to configure brand new docker-registry with token based authentication. Harbor also uses docker-registry in backend, so that we could configure it, but problem is that both Gitlab and Harbor require to set their own parameters which are actually conflicts. Example:

Harbor requires:

auth:
  token:
    issuer: harbor-token-issuer
    realm: https://harbor.example.org/service/token
    rootcertbundle: /etc/registry/root.crt
    service: harbor-registry

Gitlab requires:

auth:
  token:
    issuer: gitlab-issuer
    realm: https://gitlab.example.org/jwt/auth
    rootcertbundle: /etc/registry/root.crt
    service: container_registry

It is expected because each one performs an authentication on it’s own side.

Solution

Solution is run two similar docker-registries with the same storage backend.

If you are using docker-compose method to install Harbor it’s easy to do, first make backup copy of your docker-compose.yml file:

cp docker-compose.yml docker-compose.yml.orig

Then edit it and copy registry section with the following changes:

Save patch for the future use:

diff -u docker-compose.yml.orig docker-compose.yml > gitlab.patch

Now you need to create a new directory and config for our registry:

mkdir gitlab
cp common/config/registry/config.yml gitlab/config.yml
cp /data/cert/server.{crt,key} gitlab/
chown 10000:10000 -R gitlab

And update your gitlab/config.yml:

storage, networks and notifications should be the same since they allow harbor to register changes in the docker-repository

Let’s start it:

docker-compose up -d

Now we should have new docker-registry service listening on port 5000

If something has going wrong you can always check a log file kindly provided to us by harbor logger: /var/log/harbor/registry-gitlab.log

Done, now we need to configure our Gitlab.

sed -z 's/\n/\\n/g' /data/secret/registry/root.crt

Save the output to registry['internal_key'] parameter and add few others:

gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_api_url'] = "https://harbor.example.org:5000"
gitlab_rails['registry_issuer'] = "gitlab-issuer"
gitlab_rails['registry_host'] = "harbor.example.org"
gitlab_rails['registry_port'] = "5000"

Now reconfigure Gitlab:

gitlab-ctl reconfigure

Job is done!

Since now you should be able to access your registry using Gitlab credentials under harbor.example.org:5000 and you can still access your old address harbor.example.org using Harbor credentials.

The integration isn’t ideal, you need to have created Harbor project before pushing new images, otherwise Harbor will not see them. Also perform delete operations for images (not for tags) is better on Harbor side because it can not remove images with no tags assigned.