Registry: add redis rate-limiter connection settings
What does this MR do?
The container registry has recently added connection settings for a new Redis instance that will be used for rate-limiting purposes https://gitlab.com/gitlab-org/container-registry/-/issues/1254+.
We now need to expose this settings on the Registry chart to allow configuring the connection.
This MR does not contain any behavioral configuration of the rate-limiting itself. That will be included later once we work out more of the details for https://gitlab.com/groups/gitlab-org/-/epics/13237+.
Once this change is merged, we will test the connection to the newly provisioned Redis cluster on pre https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/3473+.
Related issues
Related to https://gitlab.com/gitlab-org/container-registry/-/issues/1278+
Testing
- Using
gitlab.redis.password.secret
:
Contents of values.yaml
registry:
redis:
rateLimiter:
enabled: true
password:
enabled: true
username: registry
db: 0
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
tls:
enabled: true
insecure: true
pool:
size: 10
maxlifetime: 1h
idletimeout: 300s
- Wait for the deployment and shell into the registry.
- Tail the registry logs and look for a message similar to:
{"go_version":"go1.22.4","instance_id":"f6d778a3-960f-43fb-9174-a9566d968e7d"," │
│ level":"info","msg":"redis rate-limiter configured successfully","service":"reg │
│ istry","time":"2024-06-19T06:27:52.570Z","version":"v4.5.0-gitlab"}
Additionally, you can verify that the settings propagated correctly to the registry settings:
- Shell into the registry container in the pod
- Check the registry config file
cat /etc/docker/registry/config.yml
...
redis:
ratelimiter:
enabled: true
addr: "gitlab-redis-master.default.svc:6379"
username: registry
password: "<REDACTED>"
db: 0
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
tls:
enabled: true
insecure: true
pool:
size: 10
maxlifetime: 1h
idletimeout: 300s
Using a custom secret:
- Create a new secret, for example:
kubectl create secret generic my-custom-redis-pass \
--from-literal=password='thisisacustompassword'
- Replace the secret and key with the custom secret name in your
values.yaml
file
registry:
redis:
rateLimiter:
enabled: true
password:
enabled: true
secret: "my-custom-redis-pass"
key: password
- Trigger deployment and check that passwords match inside the registry's config file in the container
tail -5 /etc/docker/registry/config.yml
redis:
ratelimiter:
enabled: true
addr: "gitlab-redis-master.default.svc:6379"
password: "thisisacustompassword"
Author checklist
For general guidance, please follow our Contributing guide.
Required
For anything in this list which will not be completed, please provide a reason in the MR discussion.
-
Merge Request Title and Description are up to date, accurate, and descriptive. -
MR targeting the appropriate branch. -
MR has a green pipeline. -
Documentation created/updated. -
Tests added/updated, and test plan for scenarios not covered by automated tests. - [-] Equivalent MR/issue for omnibus-gitlab opened.
- This is currently under development and this MR will help test the connection to the recently provisioned cluster. We will expose these settings to Omnibus in the future https://gitlab.com/gitlab-org/container-registry/-/issues/1282=.
Reviewers checklist
-
MR has a green pipeline on https://gitlab.com/gitlab-org/charts/gitlab. -
Consider downstream impact to the Operator, as per evaluating impact from changes to GitLab Chart.