Skip to content

Technical Investigation: Dependency Proxy to pull from any container registry

Topic to Evaluate

#326378 (closed) proposes making the Dependency Proxy work generically with any non-GitLab container registry. This would allow GitLab customers to easily proxy and cache container images from Amazon's or Google's registry, reducing external dependencies and decreasing build times. It also presents an opportunity for GitLab to make authenticating to these external registries more efficient.

The challenge is that the Dependency Proxy was hard-coded to work with Docker Hub. A technical investigation is needed to confirm that the feature can first be expanded to support other registries and that it can be done in a way to make Developers' lives easier and more efficient.

Tasks to Evaluate

  • Can the GitLab Dependency Proxy be expanded to cover other registries? Ideally, it would be generic, but if we had to start with one or two, I'd prioritize ECR/GCR.

  • How will authentication work? Are there any required changes in auth? Any risks?

  • What is a reasonable MVC and how does that solve the problem?

  • Consider #294187 (closed) which proposes adding TTL policies for the Dependency Proxy. Are there any implications with regards to storage and connecting to external registries?

  • Consider how we can measure the metrics mentioned in #238056 (closed).

  • Determine feasibility of the feature

  • Create issue for implementation or update existing implementation issue description with implementation proposal

  • Set weight on implementation issue

  • If weight is greater than 5, break the issue into smaller issues

Competitive intel

Risks and Implementation Considerations

  • Connecting to multiple registries seems like a premium feature. We are considering allowing you to connect to a given number of registries depending on your tier.
  • Another option is to connect to Docker Hub by default and charge for adding other private registries.
Edited by Steve Abrams