Skip to content
Runbooks

overview

Artifact Registry for GitLab.com

Section titled “Artifact Registry for GitLab.com”

Overview

Section titled “Overview”

The Artifact Registry for GitLab.com is used as an alternate private Docker Registry for K8s clusters for GitLab.com. This Registry is used as a reliable alternative to the Registry registry.gitlab.com and dev.gitlab.org, which isolates from the availability issues on both of these environments.

Configuration

Section titled “Configuration”

Configuration of the Artifact Registry is done in Terraform in the gitlab-com-artifact-registry environment.

There is one service account artifact-registry-rw@gitlab-com-artifact-registry.iam.gserviceaccount.com that has a key set as a CI variable ARTIFACT_REGISTRY_SA_FILE in the CNG pipeline CI variables on dev.gitlab.org.

For the Kubernetes clusters, access is granted with IAM at the project level for PreProd, Ops, Staging and Production. This access allows all Kubernetes clusters to read from the Artifact Registry without any secrets configuration.

Note: This does not allow you to use docker or crictl on the nodes to pull images, you must authenticate to access the registry from a shell or container.

Troubleshooting

Section titled “Troubleshooting”

Images are not present in the Artifact Registry

Section titled “Images are not present in the Artifact Registry”

If an image not present in the Artifact Registry it is most likely that either the image wasn’t synchronized correctly from dev.gitlab.org, or that the image was deleted.

Images are synchronized from dev.gitlab.org in the CNG pipeline.

The sync-images-artifact-registry job runs at the end of the CNG pipeline for all tagged builds on dev.gitlab.org, check the job output for the appropriate tag to see if the sync was done properly (e.g.: sync job)

Accessing the Artifact Registry

Section titled “Accessing the Artifact Registry”

See the docs for different ways of authenticating to the Artifact Registry.

The easiest way to authenticate and access images is authenticating using your own account.

Terminal window
gcloud auth login # if necessary


gcloud auth configure-docker us-east1-docker.pkg.dev
docker pull us-east1-docker.pkg.dev/gitlab-com-artifact-registry/images/gitlab-container-registry:v3.64.0-gitlab

Image cleanup

Section titled “Image cleanup”

Cleanup policies are configured in the Artifact Registry to keep the 300 latest image versions and delete all other image versions older than 7 days.