Registry Mirror¶
The Registry Mirror role provides a pull-through proxy to the Docker Hub, with optional authentication enabled. This helps to prevent rate-limiting issues, and saves on data traffic when using images from the Docker Hub. A S3 bucket is automatically created when one or more Registry Mirror node is requested, and is used to store the cached image in a shared pool between all Registry Mirror nodes. The cache is automatically cleaned up by the hive.
This mirror does not cache images from other sources such as Quay or GitHub Container Registry.
By default, the mirror is access through the internal NLB, with TLS pre-configured, on port 5000.
For this, the registry-mirror.<prefix>.glhc.nl domain name is added as an internal DNS zone.
Currently, it is not supported to change the domain name or access the Registry Mirror from outside the cluster VPC.
When enabled, any runners in the same cluster are automatically configured to use the Registry Mirror. The runners are also set to expose some variables to all jobs to help users utilize the Registry Mirror when using Docker-in-Docker or Kaniko.
Basic required configuration¶
The following example is enough to get started using the Registry Mirror services:
module "gitlab_cluster" {
# [...]
registry_mirror_node_count = 1
registry_mirror_instance_type = "t3a.medium"
}
# Ansible: inventory/sensitive_vars.yml
all:
vars:
# The shared secret is automatically generated by newer versions of our environment-template
registry_mirror_shared_secret: "not-a-real-secret-please-ignore"
# Docker Hub authentication - Optional but highly recommended
registry_mirror_docker_hub_username: "my_username"
registry_mirror_docker_hub_password: "dckr_pat_TestTokenPlsIgnore-AbCd1234"
}
Variables available to CI jobs¶
The following variables are exposed:
| Name | Content | Description |
|---|---|---|
DOCKER_REGISTRY_MIRROR |
https://registry-mirror.<prefix>.glhc.nl |
URL to internal load balancer pointing to the Registry Mirror nodes |
KANIKO_MIRROR_ARGS |
--registry-mirror https://registry-mirror.<prefix>.glhc.nl |
Shortcut to use with Kaniko command line to use the mirror in Kaniko build jobs |
In most shells, variables will be empty when not defined, making the KANIKO_MIRROR_ARGS safe to include in CI
templates that are also used on runners that do not have the variable set.
Optional Ansible configuration¶
For further configuration of the Registry Mirror nodes themselves, the following relevant Ansible variables are available:
| Name | Default | Description |
|---|---|---|
registry_mirror_docker_image |
"registry:2.8.3" |
The Docker image used to run the registry daemon. |
registry_mirror_shared_secret |
"" |
A shared secret that needs to be the same on all nodes. |
registry_mirror_docker_hub_username |
"" |
Username for Docker Hub authentication |
registry_mirror_docker_hub_password |
"" |
Password for Docker Hub authentication |
registry_mirror_bucket_name |
"{{ gitlab_object_storage_prefix }}-registry-mirror" |
Name of the S3 bucket that is used to store cached images |
registry_mirror_bucket_location |
"{{ aws_region }}" |
Region of the S3 bucket that is used to store cached images |
registry_mirror_bucket_encrypt |
true |
Controls S3 encryption flag for the S3 bucket |
registry_mirror_bucket_encryption_key |
"" |
KMS key to use for S3 encryption |
Optional Terraform configuration¶
The following relevant Terraform variables are available:
| Name | Default | Description |
|---|---|---|
registry_mirror_node_count |
0 |
Number of Registry Mirror nodes to create |
registry_mirror_instance_type |
"" |
Instance type of the Registry Mirror node(s) |
registry_mirror_disk_type |
gp3 |
Optional |
registry_mirror_disk_size |
50 |
Optional |
registry_mirror_disk_encrypt |
true |
Optional |
registry_mirror_disk_delete_on_termination |
true |
Optional |
registry_mirror_disk_kms_key_arn |
null |
Optional |
registry_mirror_iam_instance_policy_arns |
[] |
Optional |