## **Docker Virtual Registry GA** ### **Overview** This epic tracks the progression of Docker Virtual Registry from beta to General Availability (GA), ensuring we meet GitLab's standard of "production-ready at any scale with a complete feature set." After the beta release of the Docker virtual registry in Q1, we are planning to announce GA for all available virtual registry formats in Q2. This effort builds on the learnings from Maven Virtual Registry GA implementation and extends Docker support to include major cloud provider registries. ### **Why This is Important** This feature is critical for enterprise customers migrating from JFrog Artifactory to GitLab. Docker/OCI image management requires enterprise-grade features including cloud provider integrations (AWS ECR, Google Artifact Registry, Azure Container Registry), comprehensive lifecycle management, advanced filtering, and production-ready observability - all tailored specifically for container image workflows and ecosystem requirements. ### **Acceptance Criteria for GA Release** #### **Complete Product Feature Set** **:white_check_mark: Already Implemented (from Beta)** * Basic virtual registry configuration * Upstream repository management (Docker Hub) * Image caching functionality * Basic OCI/Docker image resolution **:arrows_counterclockwise: In Progress / Planned** **Cloud Provider Registry Integration** * AWS Elastic Container Registry (ECR) authentication and integration * IAM role-based authentication support * Automatic credential refresh handling * Google Artifact Registry authentication and integration * Service account authentication * Workload identity support * Multi-region support * Azure Container Registry authentication and integration * Managed identity authentication * Authentication credential management UI * Cloud provider connection testing and health checks * Audit logs for cloud provider authentication events **Production-Ready UI/API Features** * Complete UI for registry and upstream configuration * UI for searching and managing cache with container-specific metadata * Image resolution explanations (why a specific image/tag was selected) * Metadata freshness indicators and refresh capabilities * Pattern-based access controls for image routing * Multi-upstream precedence configuration **Lifecycle Policies Implementation** * Rule-based policies: Delete cached images not pulled in last X days * Tag-based cleanup policies (e.g., remove untagged manifests) * Image age-based retention rules * Audit logs and notifications for policy-driven actions **Allow/Deny Filtering** * Flexible rule-based filtering for image inclusion/exclusion * Pattern matching for image repositories (namespace/\*, image:tag-pattern) * Audit logs for blocked image pull requests **Root-Group Dashboards and Analytics** * Root-group-level view of upstreams and connection status * Cache performance metrics (hit rate, miss rate, eviction rate) * Image pull statistics and trends * Storage utilization by upstream source * Connection health and status **Shareable Upstreams Functionality** * Optimize storage by allowing multiple virtual registries to share upstreams * Efficient caching and storage optimization * Reduce duplicate storage of identical image layers * Shared cloud provider credential management **Locally-Hosted Registry Support** * Target GitLab projects/groups to expose container registry images * Mixed upstream routing (local + external + cloud providers) * Precedence rules for local vs. cached images **Authentication and Configuration** * Enhanced Docker client configuration guidance * Streamlined authentication setup flows for Docker CLI * Cloud provider credential rotation and management * Clear error messaging for authentication issues across providers * Support for docker login, credential helpers, and token-based auth #### **Data & Observability Requirements** **Usage Metrics:** * Images pulled from upstreams (by source: Docker Hub, ECR, GCR, ACR, etc.) * Images pulled from cache * Cache hit ratio by upstream source * Layer-level deduplication effectiveness **Adoption Metrics:** * Root groups with Docker virtual registry enabled * Organizations with at least one Docker virtual registry * Cloud provider integration adoption (% using ECR, GCR, ACR) * Migration tracking from JFrog/Nexus to GitLab Docker virtual registry #### **Market Validation Requirements** **Customer Feedback:** * Customer feedback analysis from Beta program completed * All critical performance issues identified in Beta resolved * Documentation of specific customer use cases and value delivered * Performance concerns from Beta addressed and validated **Customer Value Evidence:** * Clear evidence of customer value and adoption patterns * Evidence of customers migrating production workloads from JFrog Artifactory or other solutions * Improved build reliability metrics (fewer external registry failures) **Customer Readiness for GA:** * Minimum 5 enterprise customers committed to production usage within 30 days of GA * At least 2 customers with \>10K container images actively using Docker virtual registry * At least 1 customer using each cloud provider integration (ECR, GCR, ACR) in production #### **Technical Readiness Requirements** **Performance & Scalability:** * Image layer caching strategies proven at scale * Multi-upstream routing performance validated * Cloud provider API rate limit handling implemented * Credential caching and refresh mechanisms optimized **Platform Parity:** * Feature flags removed completely * Feature available on GitLab.com, Self-Managed, and Dedicated * Cloud provider integrations work across all deployment types * High availability support for all upstream types **Security & Compliance:** * Cloud provider credentials securely stored and rotated * Audit logging for all image pull operations * Vulnerability scanning integration for cached images * Compliance with image signing and attestation standards ### **Success Metrics** **Adoption Rate:** * Number of groups using Docker virtual registries in production * Percentage of Docker virtual registries utilizing cloud provider upstreams * Percentage utilizing shared upstreams for storage optimization * Migration rate from JFrog Artifactory to GitLab Docker virtual registry **Performance & Efficiency:** * Image manifest and layer pull operation response times * Cache hit ratios for container images (target: \>70%) * Storage optimization from shared upstreams and layer deduplication * Reduction in duplicate image layer storage * Bandwidth cost savings from caching vs. direct upstream pulls **User Satisfaction:** * Customer feedback scores from Beta program * Time-to-resolution for container dependency management * Support ticket reduction for Docker-related issues * Build reliability improvement (reduction in external registry failures) **Cloud Provider Integration:** * Adoption rate of ECR, GCR, and ACR integrations * Authentication success rates for cloud providers * Cross-region pull performance for cloud provider registries ### **Engineering Assessment** **Resource Requirements:** * Estimated 2-3 backend engineers plus partial frontend support for 3-4 milestones * Additional DevOps engineering for cloud provider integration testing * Security team consultation for credential management architecture **Technical Challenges:** * **Cloud provider authentication:** Each provider (AWS, GCP, Azure) uses different auth mechanisms (IAM roles, service accounts, managed identities) * **Credential management:** Secure storage, automatic refresh, and rotation of cloud provider credentials * **Cross-region complexity:** Supporting multi-region registries for each cloud provider * **OCI manifest handling:** Different cloud providers may have nuanced OCI spec implementations * **Layer deduplication:** Efficient storage when same layers exist across multiple upstreams * **Performance optimization:** Ensuring pull-through performance matches direct upstream speeds **Risk Mitigation:** * Leverage existing container registry team expertise with OCI/Docker protocols * Incremental cloud provider rollout (ECR first, then GCR, then ACR) * Feature flags during transition for gradual rollout * Comprehensive testing with customer pilot programs for each cloud provider * Reuse authentication patterns from existing GitLab cloud integrations where possible ### **Dependencies** **Critical Dependencies:** * Container Registry team availability for OCI/Docker protocol expertise * GitLab Credits integration for consumption billing * Cloud provider service account/credential management infrastructure * Registry analytics platform for usage metrics and dashboards **Important:** This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.