Using the Container Registry

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

The registry sub-chart provides the Registry component to a complete cloud-native GitLab deployment on Kubernetes. This sub-chart is based on the upstream chart and contains the GitLab Container Registry.

This chart is composed of 3 primary parts:

All configuration is handled according to the Registry configuration documentation using /etc/docker/registry/config.yml variables provided to the Deployment populated from the ConfigMap. The ConfigMap overrides the upstream defaults, but is based on them. See below for more details:

Design Choices

A Kubernetes Deployment was chosen as the deployment method for this chart to allow for simple scaling of instances, while allowing for rolling updates.

This chart makes use of two required secrets and one optional:


  • global.registry.certificate.secret: A global secret that will contain the public certificate bundle to verify the authentication tokens provided by the associated GitLab instance(s). See documentation on using GitLab as an auth endpoint.
  • global.registry.httpSecret.secret: A global secret that will contain the shared secret between registry pods.


  • profiling.stackdriver.credentials.secret: If Stackdriver profiling is enabled and you need to provide explicit service account credentials, then the value in this secret (in the credentials key by default) is the GCP service account JSON credentials. If you are using GKE and are providing service accounts to your workloads using Workload Identity (or node service accounts, although this is not recommended), then this secret is not required and should not be supplied. In either case, the service account requires the role roles/cloudprofiler.agent or equivalent manual permissions


We will describe all the major sections of the configuration below. When configuring from the parent chart, these values will be:

      enabled: false
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
    tag: 'v4.15.2-gitlab'
    pullPolicy: IfNotPresent
    type: ClusterIP
    name: registry
    secret: gitlab-registry
    key: registry-auth.crt
    terminationGracePeriodSeconds: 30
  draintimeout: '0'
    minReplicas: 2
    maxReplicas: 10
      targetAverageUtilization: 75
        stabilizationWindowSeconds: 300
    key: storage
    disabled: true
      referencelimit: 0
      payloadsizelimit: 0
        allow: []
        deny: []
  notifications: {}
  tolerations: []
  affinity: {}
    enabled: false
      enabled: true
      secretName: redis
    enabled: false
      enabled: false
      rules: []
      enabled: false
      rules: []
    create: false
    automountServiceAccountToken: false
    enabled: false
    verify: true

If you chose to deploy this chart as a standalone, remove the registry at the top level.

Installation parameters

annotationsPod annotations
podLabelsSupplemental Pod labels. Will not be used for selectors.
common.labelsSupplemental labels that are applied to all objects created by this chart.
authAutoRedirecttrueAuth auto-redirect (must be true for Windows clients to work)
authEndpointglobal.hosts.gitlab.nameAuth endpoint (only host and port)
certificate.secretgitlab-registryJWT certificate
debug.addr.port5001Debug port
debug.tls.enabledfalseEnable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled)
debug.tls.secretNameThe name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and debug.tls.enabled=true - the debug TLS configuration will default to the registry’s TLS certificate.
debug.prometheus.enabledfalseDEPRECATED Use metrics.enabled
debug.prometheus.path""DEPRECATED Use metrics.path
metrics.enabledfalseIf a metrics endpoint should be made available for scraping
metrics.path/metricsMetrics endpoint path
metrics.serviceMonitor.enabledfalseIf a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the scrape annotations
metrics.serviceMonitor.additionalLabels{}Additional labels to add to the ServiceMonitor
metrics.serviceMonitor.endpointConfig{}Additional endpoint configuration for the ServiceMonitor
deployment.terminationGracePeriodSeconds30Optional duration in seconds the pod needs to terminate gracefully.
deployment.strategy{}Allows one to configure the update strategy utilized by the deployment
draintimeout'0'Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. '10s')
relativeurlsfalseEnable the registry to return relative URLs in Location headers.
enabledtrueEnable registry flag
hpa.behavior{scaleDown: {stabilizationWindowSeconds: 300 }}Behavior contains the specifications for up- and downscaling behavior (requires autoscaling/v2beta2 or higher)
hpa.customMetrics[]Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in targetAverageUtilization)
hpa.cpu.targetTypeUtilizationSet the autoscaling CPU target type, must be either Utilization or AverageValue
hpa.cpu.targetAverageValueSet the autoscaling CPU target value
hpa.cpu.targetAverageUtilization75Set the autoscaling CPU target utilization
hpa.memory.targetTypeSet the autoscaling memory target type, must be either Utilization or AverageValue
hpa.memory.targetAverageValueSet the autoscaling memory target value
hpa.memory.targetAverageUtilizationSet the autoscaling memory target utilization
hpa.minReplicas2Minimum number of replicas
hpa.maxReplicas10Maximum number of replicas
httpSecretHttps secret
extraEnvFromList of extra environment variables from other data sources to expose
image.pullPolicyPull policy for the registry image
image.pullSecretsSecrets to use for image repository image
image.tagv4.15.2-gitlabVersion of the image to use
init.image.repositoryinitContainer image
init.image.taginitContainer image tag
init.containerSecurityContextinitContainer specific securityContext
init.containerSecurityContext.runAsUser1000initContainer specific: User ID under which the container should be started
init.containerSecurityContext.allowPrivilegeEscalationfalseinitContainer specific: Controls whether a process can gain more privileges than its parent process
init.containerSecurityContext.runAsNonRoottrueinitContainer specific: Controls whether the container runs with a non-root user
init.containerSecurityContext.capabilities.drop[ "ALL" ]initContainer specific: Removes Linux capabilities for the container
keda.enabledfalseUse KEDA ScaledObjects instead of HorizontalPodAutoscalers
keda.pollingInterval30The interval to check each trigger on
keda.cooldownPeriod300The period to wait after the last trigger reported active before scaling the resource back to 0
keda.minReplicaCountMinimum number of replicas KEDA will scale the resource down to, defaults to hpa.minReplicas
keda.maxReplicaCountMaximum number of replicas KEDA will scale the resource up to, defaults to hpa.maxReplicas
keda.fallbackKEDA fallback configuration, see the documentation
keda.hpaNameThe name of the HPA resource KEDA will create, defaults to keda-hpa-{scaled-object-name}
keda.restoreToOriginalReplicaCountSpecifies whether the target resource should be scaled back to original replicas count after the ScaledObject is deleted
keda.behaviorThe specifications for up- and downscaling behavior, defaults to hpa.behavior
keda.triggersList of triggers to activate scaling of the target resource, defaults to triggers computed from hpa.cpu and hpa.memory
log{level: info, fields: {service: registry}}Configure the logging options
minio.bucketglobal.registry.bucketLegacy registry bucket name
maintenance.readonly.enabledfalseEnable registry’s read-only mode
maintenance.uploadpurging.enabledtrueEnable upload purging
maintenance.uploadpurging.age168hPurge uploads older than the specified age
maintenance.uploadpurging.interval24hFrequency at which upload purging is performed
maintenance.uploadpurging.dryrunfalseOnly list which uploads will be purged without deleting
priorityClassNamePriority class assigned to pods.
reporting.sentry.enabledfalseEnable reporting using Sentry
reporting.sentry.dsnThe Sentry DSN (Data Source Name)
reporting.sentry.environmentThe Sentry environment
profiling.stackdriver.enabledfalseEnable continuous profiling using Stackdriver
profiling.stackdriver.credentials.secretgitlab-registry-profiling-credsName of the secret containing credentials
profiling.stackdriver.credentials.keycredentialsSecret key in which the credentials are stored
profiling.stackdriver.serviceRELEASE-registry (templated Service name)Name of the Stackdriver service to record profiles under
profiling.stackdriver.projectidGCP project where runningGCP project to report profiles to
database.configurefalsePopulate database configuration in the registry chart without enabling it. Required when migrating an existing registry.
database.enabledfalseEnable metadata database. This is an experimental feature and must not be used in production environments.
database.hostglobal.psql.hostThe database server hostname.
database.portglobal.psql.portThe database server port.
database.userThe database username.
database.password.secretRELEASE-registry-database-passwordName of the secret containing the database password.
database.password.keypasswordSecret key in which the database password is stored.
database.nameThe database name.
database.sslmodeThe SSL mode. Can be one of disable, allow, prefer, require, verify-ca or verify-full.
database.ssl.secretglobal.psql.ssl.secretA secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret.
database.ssl.clientCertificateglobal.psql.ssl.clientCertificateThe key inside the secret referring the client certificate.
database.ssl.clientKeyglobal.psql.ssl.clientKeyThe key inside the secret referring the client key.
database.ssl.serverCAglobal.psql.ssl.serverCAThe key inside the secret referring the certificate authority (CA).
database.connecttimeout0Maximum time to wait for a connection. Zero or not specified means waiting indefinitely.
database.draintimeout0Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely.
database.preparedstatementsfalseEnable prepared statements. Disabled by default for compatibility with PgBouncer.
database.primaryfalseTarget primary database server. This is used to specify a dedicated FQDN to target when running registry database.migrations. The host will be used to run database.migrations when not specified.
database.pool.maxidle0The maximum number of connections in the idle connection pool. If maxopen is less than maxidle, then maxidle is reduced to match the maxopen limit. Zero or not specified means no idle connections.
database.pool.maxopen0The maximum number of open connections to the database. If maxopen is less than maxidle, then maxidle is reduced to match the maxopen limit. Zero or not specified means unlimited open connections.
database.pool.maxlifetime0The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse.
database.pool.maxidletime0The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration.
database.loadBalancing.enabledfalseEnable database load balancing. This is an experimental feature and must not be used in production environments.
database.loadBalancing.nameserver.hostlocalhostThe host of the nameserver to use for looking up the DNS record.
database.loadBalancing.nameserver.port8600The port of the nameserver to use for looking up the DNS record.
database.loadBalancing.recordThe SRV record to look up. This option is required for service discovery to work.
database.loadBalancing.replicaCheckInterval1mThe minimum amount of time between checking the status of a replica.
database.migrations.enabledtrueEnable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods.
database.migrations.activeDeadlineSeconds3600Set the activeDeadlineSeconds on the migrations job.
database.migrations.annotations{}Additional annotations to add to the migrations job.
database.migrations.backoffLimit6Set the backoffLimit on the migrations job.
database.backgroundMigrations.enabledfalseEnable background migrations for the database. This is an experimental feature for the Registry metadata database. Do not use in production. See the specification for a detailed explanation of how it works.
database.backgroundMigrations.jobIntervalThe sleep interval between each background migration job worker run. When not specified a default value is set by the registry.
database.backgroundMigrations.maxJobRetriesThe maximum number of retries for a failed background migration job. When not specified a default value is set by the registry.
gc.disabledtrueWhen set to true, the online GC workers are disabled.
gc.maxbackoff24hThe maximum exponential backoff duration used to sleep between worker runs when an error occurs. Also applied when there are no tasks to be processed unless gc.noidlebackoff is true. Please note that this is not the absolute maximum, as a randomized jitter factor of up to 33% is always added.
gc.noidlebackofffalseWhen set to true, disables exponential backoffs between worker runs when there are no tasks to be processed.
gc.transactiontimeout10sThe database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions.
gc.blobs.disabledfalseWhen set to true, the GC worker for blobs is disabled.
gc.blobs.interval5sThe initial sleep interval between each worker run.
gc.blobs.storagetimeout5sThe timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend.
gc.manifests.disabledfalseWhen set to true, the GC worker for manifests is disabled.
gc.manifests.interval5sThe initial sleep interval between each worker run.
gc.reviewafter24hThe minimum amount of time after which the garbage collector should pick up a record for review. -1 means no wait.
securityContext.fsGroup1000Group ID under which the pod should be started
securityContext.runAsUser1000User ID under which the pod should be started
securityContext.fsGroupChangePolicyPolicy for changing ownership and permission of the volume (requires Kubernetes 1.23)
securityContext.seccompProfile.typeRuntimeDefaultSeccomp profile to use
containerSecurityContextOverride container securityContext under which the container is started
containerSecurityContext.runAsUser1000Allow to overwrite the specific security context user ID under which the container is started
containerSecurityContext.allowPrivilegeEscalationfalseControls whether a process of the Gitaly container can gain more privileges than its parent process
containerSecurityContext.runAsNonRoottrueControls whether the container runs with a non-root user
containerSecurityContext.capabilities.drop[ "ALL" ]Removes Linux capabilities for the Gitaly container
serviceAccount.automountServiceAccountTokenfalseIndicates whether or not the default ServiceAccount access token should be mounted in pods
serviceAccount.enabledfalseIndicates whether or not to use a ServiceAccount
serviceLabels{}Supplemental service labels
tokenServicecontainer_registryJWT token service
tokenIssuergitlab-issuerJWT token issuer
tolerations[]Toleration labels for pod assignment
affinity{}Affinity rules for pod assignment
middleware.storageconfiguration layer for midleware storage (s3 for instance)
redis.cache.enabledfalseWhen set to true, the Redis cache is enabled. This feature is dependent on the metadata database being enabled. Repository metadata will be cached on the configured Redis instance.<Redis URL>The hostname of the Redis instance. If empty, the value will be filled as
redis.cache.port6379The port of the Redis instance.
redis.cache.sentinels[]List sentinels with host and port.
redis.cache.mainnameThe main server name. Only applicable for Sentinel.
redis.cache.password.enabledfalseIndicates whether the Redis cache used by the Registry is password protected.
redis.cache.password.secretgitlab-redis-secretName of the secret containing the Redis password. This will be automatically created if not provided, when the shared-secrets feature is enabled.
redis.cache.password.keyredis-passwordSecret key in which the Redis password is stored.
redis.cache.sentinelpassword.enabledfalseIndicates whether Redis Sentinels are password protected. If redis.cache.sentinelpassword is empty, the values from global.redis.sentinelAuth are used. Only used when redis.cache.sentinels is defined.
redis.cache.sentinelpassword.secretgitlab-redis-secretName of the secret containing the Redis Sentinel password.
redis.cache.sentinelpassword.keyredis-sentinel-passwordSecret key in which the Redis Sentinel password is stored.
redis.cache.db0The name of the database to use for each connection.
redis.cache.dialtimeout0sThe timeout for connecting to the Redis instance. Defaults to no timeout.
redis.cache.readtimeout0sThe timeout for reading from the Redis instance. Defaults to no timeout.
redis.cache.writetimeout0sThe timeout for writing to the Redis instance. Defaults to no timeout.
redis.cache.tls.enabledfalseSet to true to enable TLS.
redis.cache.tls.insecurefalseSet to true to disable server name verification when connecting over TLS.
redis.cache.pool.size10The maximum number of socket connections. Default is 10 connections.
redis.cache.pool.maxlifetime1hThe connection age at which client retires a connection. Default is to not close aged connections.
redis.cache.pool.idletimeout300sHow long to wait before closing inactive connections.
redis.rateLimiting.enabledfalseWhen set to true, the Redis rate limiter is enabled. This feature is under development.<Redis URL>The hostname of the Redis instance. If empty, the value will be filled as
redis.rateLimiting.port6379The port of the Redis instance.
redis.rateLimiting.cluster[]List of addresses with host and port.
redis.rateLimiting.sentinels[]List sentinels with host and port.
redis.rateLimiting.mainnameThe main server name. Only applicable for Sentinel.
redis.rateLimiting.usernameThe username used to connect to the Redis instance.
redis.rateLimiting.password.enabledfalseIndicates whether the Redis instance is password protected.
redis.rateLimiting.password.secretgitlab-redis-secretName of the secret containing the Redis password. This will be automatically created if not provided, when the shared-secrets feature is enabled.
redis.rateLimiting.password.keyredis-passwordSecret key in which the Redis password is stored.
redis.rateLimiting.db0The name of the database to use for each connection.
redis.rateLimiting.dialtimeout0sThe timeout for connecting to the Redis instance. Defaults to no timeout.
redis.rateLimiting.readtimeout0sThe timeout for reading from the Redis instance. Defaults to no timeout.
redis.rateLimiting.writetimeout0sThe timeout for writing to the Redis instance. Defaults to no timeout.
redis.rateLimiting.tls.enabledfalseSet to true to enable TLS.
redis.rateLimiting.tls.insecurefalseSet to true to disable server name verification when connecting over TLS.
redis.rateLimiting.pool.size10The maximum number of socket connections.
redis.rateLimiting.pool.maxlifetime1hThe connection age at which the client retires a connection. Default is to not close aged connections.
redis.rateLimiting.pool.idletimeout300sHow long to wait before closing inactive connections.

Chart configuration examples


pullSecrets allows you to authenticate to a private registry to pull images for a pod.

Additional details about private registries and their authentication methods can be found in the Kubernetes documentation.

Below is an example use of pullSecrets:

  repository: my.registry.repository
  tag: latest
  pullPolicy: Always
  - name: my-secret-name
  - name: my-secondary-secret-name


This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods.

automountServiceAccountTokenBooleanfalseControls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio).
enabledBooleanfalseIndicates whether or not to use a ServiceAccount.


tolerations allow you schedule pods on tainted worker nodes

Below is an example use of tolerations:

- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoSchedule"
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoExecute"


affinity is an optional parameter that allows you to set either or both:

  • podAntiAffinity rules to:
    • Not schedule pods in the same domain as the pods that match the expression corresponding to the topology key.
    • Set two modes of podAntiAffinity rules: required (requiredDuringSchedulingIgnoredDuringExecution) and preferred (preferredDuringSchedulingIgnoredDuringExecution). Using the variable antiAffinity in values.yaml, set the setting to soft so that the preferred mode is applied or set it to hard so that the required mode is applied.
  • nodeAffinity rules to:
    • Schedule pods to nodes that belong to a specific zone or zones.
    • Set two modes of nodeAffinity rules: required (requiredDuringSchedulingIgnoredDuringExecution) and preferred (preferredDuringSchedulingIgnoredDuringExecution). When set to soft, the preferred mode is applied. When set to hard, the required mode is applied. This rule is implemented only for the registry chart and the gitlab chart alongwith all its subcharts except webservice and sidekiq.

nodeAffinity only implements the In operator.

For more information, see the relevant Kubernetes documentation.

The following example sets affinity, with both nodeAffinity and antiAffinity set to hard:

nodeAffinity: "hard"
antiAffinity: "hard"
    key: ""
    - us-east1-a
    - us-east1-b
    topologyKey: ""


annotations allows you to add annotations to the registry pods.

Below is an example use of annotations

annotations: annotation-value

Enable the sub-chart

The way we’ve chosen to implement compartmentalized sub-charts includes the ability to disable the components that you may not want in a given deployment. For this reason, the first setting you should decide on is enabled.

By default, Registry is enabled out of the box. Should you wish to disable it, set enabled: false.

Configuring the image

This section details the settings for the container image used by this sub-chart’s Deployment. You can change the included version of the Registry and pullPolicy.

Default settings:

  • tag: 'v4.15.2-gitlab'
  • pullPolicy: 'IfNotPresent'

Configuring the service

This section controls the name and type of the Service. These settings will be populated by values.yaml.

By default, the Service is configured as:

nameStringregistryConfigures the name of the service
typeStringClusterIPConfigures the type of the service
externalPortInt5000Port exposed by the Service
internalPortInt5000Port utilized by the Pod to accept request from the service
clusterIPStringnullAllows one to configure a custom Cluster IP as necessary
loadBalancerIPStringnullAllows one to configure a custom LoadBalancer IP address as necessary

Configuring the ingress

This section controls the registry Ingress.

apiVersionStringValue to use in the apiVersion field.
annotationsStringThis field is an exact match to the standard annotations for Kubernetes Ingress.
configureCertmanagerBooleanToggles Ingress annotation and For more information see the TLS requirement for GitLab Pages.
enabledBooleanfalseSetting that controls whether to create Ingress objects for services that support them. When false the global.ingress.enabled setting is used.
tls.enabledBooleantrueWhen set to false, you disable TLS for the Registry subchart. This is mainly useful for cases in which you cannot use TLS termination at ingress-level, like when you have a TLS-terminating proxy before the Ingress Controller.
tls.secretNameStringThe name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry URL. When not set, the global.ingress.tls.secretName is used instead. Defaults to not being set.
tls.cipherSuitesArray[]The list of cipher suites that Container registry should present to the client during TLS handshake.

Configuring TLS

Container Registry supports TLS which secures its communication with other components, including nginx-ingress.

Prerequisites to configure TLS:

  • The TLS certificate must include the Registry Service host name (for example, RELEASE-registry.default.svc) in the Common Name (CN) or Subject Alternate Name (SAN).
  • After the TLS certificate generates:
    • Create a Kubernetes TLS Secret
    • Create another Secret that only contains the CA certificate of the TLS certificate with ca.crt key.

To enable TLS:

  1. Set registry.tls.enabled to true.
  2. Set global.hosts.registry.protocol to https.
  3. Pass the Secret names to registry.tls.secretName and global.certificates.customCAs accordingly.

When registry.tls.verify is true, you must pass the CA certificate Secret name to registry.tls.caSecretName. This is necessary for self-signed certificates and custom Certificate Authorities. This Secret is used by NGINX to verify the TLS certificate of Registry.

For example:

    - secret: registry-tls-ca
      protocol: https

    enabled: true
    secretName: registry-tls
    verify: true
    caSecretName: registry-tls-ca

Container Registry cipher suites

Normally tls.cipherSuites option should be used only in some very unusual configurations where registry is deployed in a standalone mode and/or some non-default Ingress is used that does not support modern cipher suites. In a standard GitLab deployment, the NGINX Ingress will choose the highest supported TLS version by the container-registry backend, which is TLS1.3 at the moment. TLS1.3 does not allow for configuring ciphers and is secure by default. In case when for some reason TLS1.3 is unavailable, the default TLS1.2 ciphers list that Container Registry is using is also compatible with NGINX Ingress default settings and is secure as well.

Configuring TLS for the debug port

The Registry debug port also supports TLS. The debug port is used for the Kubernetes liveness and readiness checks as well as exposing a /metrics endpoint for Prometheus (if enabled).

TLS can be enabled for by setting registry.debug.tls.enabled to true. A Kubernetes TLS Secret can be provided in registry.debug.tls.secretName dedicated for use in the debug port’s TLS configuration. If a dedicated secret is not specified, the debug configuration will fall back to sharing registry.tls.secretName with the registry’s regular TLS configuration.

For Prometheus to scrape the /metrics/ endpoint using https - additional configuration is required for the certificate’s CommonName attribute or a SubjectAlternativeName entry. See Configuring Prometheus to scrape TLS-enabled endpoints for those requirements.

Configuring the networkpolicy

This section controls the registry NetworkPolicy. This configuration is optional and is used to limit egress and Ingress of the registry to specific endpoints. and Ingress to specific endpoints.

enabledBooleanfalseThis setting enables the NetworkPolicy for registry
ingress.enabledBooleanfalseWhen set to true, the Ingress network policy will be activated. This will block all Ingress connections unless rules are specified.
ingress.rulesArray[]Rules for the Ingress policy, for details see and the example below
egress.enabledBooleanfalseWhen set to true, the Egress network policy will be activated. This will block all egress connections unless rules are specified.
egress.rulesArray[]Rules for the egress policy, these for details see and the example below

Example policy for preventing connections to all internal endpoints

The Registry service normally requires egress connections to object storage, Ingress connections from Docker clients, and kube-dns for DNS lookups. This adds the following network restrictions to the Registry service:

  • Allows Ingress requests:
    • From the pods sidekiq , webservice and nginx-ingress to port 5000
    • From the Prometheus pod to port 9235
  • Allows Egress requests:
    • To kube-dns to port 53
    • To endpoints like AWS VPC endpoint for S3 or STS to port 443
    • To the internet to port 443

Note that the registry service requires outbound connectivity to the public internet for images on external object storage if no endpoint is used

The example is based on the assumption that kube-dns was deployed to the namespace kube-system, prometheus was deployed to the namespace monitoring and nginx-ingress was deployed to the namespace nginx-ingress.

  enabled: true
    enabled: true
      - from:
          - namespaceSelector:
                app: nginx-ingress
                component: controller
          - port: 5000
      - from:
          - namespaceSelector:
                app: prometheus
                component: server
                release: gitlab
          - port: 9235
      - from:
          - podSelector:
                app: sidekiq
          - port: 5000
      - from:
          - podSelector:
                app: webservice
          - port: 5000
    enabled: true
      - to:
          - namespaceSelector:
                k8s-app: kube-dns
          - port: 53
            protocol: UDP
      - to:
          - ipBlock:
          - port: 443
      - to:
        - ipBlock:

Configuring KEDA

This keda section enables the installation of KEDA ScaledObjects instead of regular HorizontalPodAutoscalers. This configuration is optional and can be used when there is a need for autoscaling based on custom or external metrics.

Most settings default to the values set in the hpa section where applicable.

If the following are true, CPU and memory triggers are added automatically based on the CPU and memory thresholds set in the hpa section:

  • triggers is not set.
  • The corresponding request.cpu.request or request.memory.request setting is also set to a non-zero value.

If no triggers are set, the ScaledObject is not created.

Refer to the KEDA documentation for more details about those settings.

enabledBooleanfalseUse KEDA ScaledObjects instead of HorizontalPodAutoscalers
pollingIntervalInteger30The interval to check each trigger on
cooldownPeriodInteger300The period to wait after the last trigger reported active before scaling the resource back to 0
minReplicaCountIntegerMinimum number of replicas KEDA will scale the resource down to, defaults to hpa.minReplicas
maxReplicaCountIntegerMaximum number of replicas KEDA will scale the resource up to, defaults to hpa.maxReplicas
fallbackMapKEDA fallback configuration, see the documentation
hpaNameStringThe name of the HPA resource KEDA will create, defaults to keda-hpa-{scaled-object-name}
restoreToOriginalReplicaCountBooleanSpecifies whether the target resource should be scaled back to original replicas count after the ScaledObject is deleted
behaviorMapThe specifications for up- and downscaling behavior, defaults to hpa.behavior
triggersArrayList of triggers to activate scaling of the target resource, defaults to triggers computed from hpa.cpu and hpa.memory

Example policy for preventing connections to all internal endpoints

The Registry service normally requires egress connections to object storage, Ingress connections from Docker clients, and kube-dns for DNS lookups. This adds the following network restrictions to the Registry service:

  • All egress requests to the local network on port 53 are allowed (for kubeDNS)
  • Other egress requests to the local network on are restricted
  • Egress requests outside of the are allowed

Note that the registry service requires outbound connectivity to the public internet for images on external object storage

  enabled: true
    enabled: true
    # The following rules enable traffic to all external
    # endpoints, except the local
    # network (except DNS requests)
      - to:
        - ipBlock:
        - port: 53
          protocol: UDP
      - to:
        - ipBlock:

Defining the Registry Configuration

The following properties of this chart pertain to the configuration of the underlying registry container. Only the most critical values for integration with GitLab are exposed. For this integration, we make use of the auth.token.x settings of Docker Distribution, controlling authentication to the registry via JWT authentication tokens.


Field httpSecret is a map that contains two items: secret and key.

The content of the key this references correlates to the http.secret value of registry. This value should be populated with a cryptographically generated random string.

The shared-secrets job will automatically create this secret if not provided. It will be filled with a securely generated 128 character alpha-numeric string that is base64 encoded.

To create this secret manually:

kubectl create secret generic gitlab-registry-httpsecret --from-literal=secret=strongrandomstring

Notification Secret

Notification Secret is utilized for calling back to the GitLab application in various ways, such as for Geo to help manage syncing Container Registry data between primary and secondary sites.

The notificationSecret secret object will be automatically created if not provided, when the shared-secrets feature is enabled.

To create this secret manually:

kubectl create secret generic gitlab-registry-notification --from-literal=secret=[\"strongrandomstring\"]

Then proceed to set

  # To provide your own secret
        secret: gitlab-registry-notification
        key: secret

  # If utilising Geo, and wishing to sync the container registry.
  # Define this in the primary site configs only.
        enabled: true
        primaryApiUrl: <URL to primary registry>

Ensuring the secret value is set to the name of the secret created above

Redis cache Secret

The Redis cache Secret is used when global.redis.auth.enabled is set to true.

When the shared-secrets feature is enabled, the gitlab-redis-secret secret object is automatically created if not provided.

To create this secret manually, see the Redis password instructions.


The authEndpoint field is a string, providing the URL to the GitLab instance(s) that the registry will authenticate to.

The value should include the protocol and hostname only. The chart template will automatically append the necessary request path. The resulting value will be populated to auth.token.realm inside the container. For example: authEndpoint: ""

By default this field is populated with the GitLab hostname configuration set by the Global Settings.


The certificate field is a map containing two items: secret and key.

secret is a string containing the name of the Kubernetes Secret that houses the certificate bundle to be used to verify the tokens created by the GitLab instance(s).

key is the name of the key in the Secret which houses the certificate bundle that will be provided to the registry container as auth.token.rootcertbundle.

Default Example:

  secret: gitlab-registry
  key: registry-auth.crt

readiness and liveness probe

By default there is a readiness and liveness probe configured to check /debug/health on port 5001 which is the debug port.


The validation field is a map that controls the Docker image validation process in the registry. When image validation is enabled the registry rejects windows images with foreign layers, unless the manifests.urls.allow field within the validation stanza is explicitly set to allow those layer urls.

Validation only happens during manifest push, so images already present in the registry are not affected by changes to the values in this section.

The image validation is turned off by default.

To enable image validation you need to explicitly set registry.validation.disabled: false.


The manifests field allows configuration of validation policies particular to manifests.

The urls section contains both allow and deny fields. For manifest layers which contain URLs to pass validation, that layer must match one of the regular expressions in the allow field, while not matching any regular expression in the deny field.

referencelimitInt0The maximum number of references, such as layers, image configurations, and other manifests, that a single manifest may have. When set to 0 (default) this validation is disabled.
payloadsizelimitInt0The maximum data size in bytes of manifest payloads. When set to 0 (default) this validation is disabled.
urls.allowArray[]List of regular expressions that enables URLs in the layers of manifests. When left empty (default), layers with any URLs will be rejected.
urls.denyArray[]List of regular expressions that restricts the URLs in the layers of manifests. When left empty (default), no layer with URLs which passed the urls.allow list will be rejected


The notifications field is used to configure Registry notifications. It has an empty hash as default value.

endpointsArray[]List of items where each item correspond to an endpoint
eventsHash{}Information provided in event notifications

An example setting will look like the following:

    - name: FooListener
      timeout: 500ms
      # DEPRECATED: use `maxretries` instead
      # When using `maxretries`, `threshold` is ignored:
      threshold: 10
      maxretries: 10
      backoff: 1s
    - name: BarListener
      timeout: 100ms
      # DEPRECATED: use `maxretries` instead
      # When using `maxretries`, `threshold` is ignored:
      threshold: 3
      maxretries: 5
      backoff: 1s
    includereferences: true


The hpa field is an object, controlling the number of registry instances to create as a part of the set. This defaults to a minReplicas value of 2, a maxReplicas value of 10, and configures the cpu.targetAverageUtilization to 75%.


  key: config

The storage field is a reference to a Kubernetes Secret and associated key. The content of this secret is taken directly from Registry Configuration: storage. Please refer to that documentation for more details.

Examples for AWS s3 and Google GCS drivers can be found in examples/objectstorage:

For S3, make sure you give the correct permissions for registry storage. For more information about storage configuration, see Container Registry storage driver in the administration documentation.

Place the contents of the storage block into the secret, and provide the following as items to the storage map:

  • secret: name of the Kubernetes Secret housing the YAML block.
  • key: name of the key in the secret to use. Defaults to config.
  • extraKey: (optional) name of an extra key in the secret, which will be mounted to /etc/docker/registry/storage/${extraKey} within the container. This can be used to provide the keyfile for the gcs driver.
# Example using S3
kubectl create secret generic registry-storage \

# Example using GCS with JSON key
# - Note: ``
kubectl create secret generic registry-storage \
    --from-file=config=registry-storage.yaml \

You can disable the redirect for the storage driver, ensuring that all traffic flows through the Registry service instead of redirecting to another backend:

  secret: example-secret
  key: config
    disable: true

If you chose to use the filesystem driver:

For the sake of resiliency and simplicity, it is recommended to make use of an external service, such as s3, gcs, azure or other compatible Object Storage.

The chart will populate delete.enabled: true into this configuration by default if not specified by the user. This keeps expected behavior in line with the default use of MinIO, as well as the Linux package. Any user provided value will supersede this default.

Configuration of follows upstream convention:

Configuration is fairly generic and follows similar pattern:

  # See
    - name: cloudfront
        # `privatekey` is auto-populated with the content from the privatekey Secret.
          secret: cloudfront-secret-name
          # "key" value is going to be used to generate filename for PEM storage:
          #   /etc/docker/registry/<index>/<key>
          key: private-key-ABC.pem

Within above code options.privatekeySecret is a generic Kubernetes secret contents of which corresponds to PEM file contents:

kubectl create secret generic cloudfront-secret-name --from-file=private-key-ABC.pem=pk-ABCEDFGHIJKLMNOPQRST.pem

privatekey used upstream is being auto-populated by chart from the privatekey Secret and will be ignored if specified.

keypairid variants

Various vendors use different field names for the same construct:

Vendorfield name
Google CDNkeyname

Only configuration of section is supported at this time.


The debug port is enabled by default and is used for the liveness/readiness probe. Additionally, Prometheus metrics can be enabled via the metrics values.

    port: 5001

  enabled: true


The health property is optional, and contains preferences for a periodic health check on the storage driver’s backend storage. For more details, see Docker’s configuration documentation.

    enabled: false
    interval: 10s
    threshold: 3


The reporting property is optional and enables reporting

    enabled: true
    dsn: 'https://<key><project>'
    environment: 'production'


The profiling property is optional and enables continuous profiling

    enabled: true
      secret: gitlab-registry-profiling-creds
      key: credentials
    service: gitlab-registry



The database property is optional and enables the metadata database.

See the administration documentation before enabling this feature.

This feature requires PostgreSQL 13 or newer.

  enabled: true
  port: 5432
  user: registry
    secret: gitlab-postgresql-password
    key: postgresql-registry-password
  dbname: registry
  sslmode: verify-full
    secret: gitlab-registry-postgresql-ssl
    clientKey: client-key.pem
    clientCertificate: client-cert.pem
    serverCA: server-ca.pem
  connecttimeout: 5s
  draintimeout: 2m
  preparedstatements: false
  primary: 'primary.record.fqdn'
    maxidle: 25
    maxopen: 25
    maxlifetime: 5m
    maxidletime: 5m
    enabled: true
    activeDeadlineSeconds: 3600
    backoffLimit: 6
    enabled: true
    maxJobRetries: 3
    jobInterval: 10s

Load balancing

This is an experimental feature under active development and must not be used in production.

The loadBalancing section allows configuring database load balancing. The Redis cache must be enabled for this feature to work.

Manage the database

See the Container registry metadata database page for more information about creating and maintaining the database.

gc property

The gc property provides online garbage collection options.

Online garbage collection requires the metadata database to be enabled. You must use online garbage collection when using the database, though you can temporarily disable online garbage collection for maintenance and debugging.

  disabled: false
  maxbackoff: 24h
  noidlebackoff: false
  transactiontimeout: 10s
  reviewafter: 24h
    disabled: false
    interval: 5s
    disabled: false
    interval: 5s
    storagetimeout: 5s

Redis cache

The Redis cache is a beta feature from version 16.4 and later. Please review the feedback issue and associated documentation before enabling this feature.

The redis.cache property is optional and provides options related to the Redis cache. To use redis.cache with the registry, the metadata database must be enabled.

For example:

    enabled: true
    host: localhost
    port: 16379
      secret: gitlab-redis-secret
      key: redis-password
    db: 0
    dialtimeout: 10ms
    readtimeout: 10ms
    writetimeout: 10ms
      enabled: true
      insecure: true
      size: 10
      maxlifetime: 1h
      idletimeout: 300s


The redis.rateLimiting.cluster property is a list of hosts and ports to connect to a Redis cluster. For example:

    enabled: true
      - host:
        port: 6379
      - host:
        port: 6379


The redis.cache can use the global.redis.sentinels configuration. Local values can be provided and will take precedence over the global values. For example:

    enabled: true
      - host:
        port: 16379
      - host:
        port: 16379

Sentinel password support


The redis.cache can also use the global.redis.sentinelAuth configuration to use an authentication password for Redis Sentinel. Local values can be provided and take precedence over the global values. For example:

    enabled: true
      - host:
        port: 16379
      - host:
        port: 16379
      enabled: true
      secret: registry-redis-sentinel
      key: password

Redis rate-limiter

The Redis rate-limiting is under development. More functionality details will be added to this section as they become available.

The redis.rateLimiting property is optional and provides options related to the Redis rate-limiter.

For example:

    enabled: true
    host: localhost
    port: 16379
    username: registry
      secret: gitlab-redis-secret
      key: redis-password
    db: 0
    dialtimeout: 10ms
    readtimeout: 10ms
    writetimeout: 10ms
      enabled: true
      insecure: true
      size: 10
      maxlifetime: 1h
      idletimeout: 300s

Garbage Collection

The Docker Registry will build up extraneous data over time which can be freed using garbage collection. As of now there is no fully automated or scheduled way to run the garbage collection with this Chart.

You must use online garbage collection with the metadata database. Using manual garbage collection with the metadata database will lead to data loss. Online garbage collection fully replaces the need to manually run garbage collection.

Manual Garbage Collection

Manual garbage collection requires the registry to be in read-only mode first. Let’s assume that you’ve already installed the GitLab chart by using Helm, named it mygitlab, and installed it in the namespace gitlabns. Replace these values in the commands below according to your actual configuration.

# Because of we can't rely on --reuse-values, so let's get our current config.
helm get values mygitlab > mygitlab.yml
# Upgrade Helm installation and configure the registry to be read-only.
# The --wait parameter makes Helm wait until all ressources are in ready state, so we are safe to continue.
helm upgrade mygitlab gitlab/gitlab -f mygitlab.yml --set registry.maintenance.readonly.enabled=true --wait
# Our registry is in r/o mode now, so let's get the name of one of the registry Pods.
# Note down the Pod name and replace the '<registry-pod>' placeholder below with that value.
# Replace the single quotes to double quotes (' => ") if you are using this with Windows' cmd.exe.
kubectl get pods -n gitlabns -l app=registry -o jsonpath='{.items[0]}'
# Run the actual garbage collection. Check the registry's manual if you really want the '-m' parameter.
kubectl exec -n gitlabns <registry-pod> -- /bin/registry garbage-collect -m /etc/docker/registry/config.yml
# Reset registry back to original state.
helm upgrade mygitlab gitlab/gitlab -f mygitlab.yml --wait
# All done :)

Running administrative commands against the Container Registry

The administrative commands can be run against the Container Registry only from a Registry pod, where both the registry binary as well as necessary configuration is available. Issue #2629 is open to discuss how to provide this functionality from the toolbox pod.

To run administrative commands:

  1. Connect to a Registry pod:

    kubectl exec -it <registry-pod> -- bash
  2. Once inside the Registry pod, the registry binary is available in PATH and can be used directly. The configuration file is available at /etc/docker/registry/config.yml. The following example checks the status of the database migration:

    registry database migrate status /etc/docker/registry/config.yml

For further details and other available commands, refer to the relevant documentation: