Use GitLab Dependency Proxy to reduce Docker Hub rate limiting

Son of Odinrequested to merge
odin/docker-dependency-proxy into develop

Summary

  • Route Docker Hub image pulls through GitLab's Dependency Proxy to avoid rate limiting
  • Add DOCKER_MIRROR env var that is set to the dependency proxy URL in CI, and defaults to empty (Docker Hub direct) for local development
  • Prefix 6 Docker Hub images in docker-compose.yml (ethereum, xrp, solana, polygon, zcash, timescaledb)
  • Add ARG DOCKER_MIRROR to Dockerfiles for build base images (golang)
  • Pass --build-arg DOCKER_MIRROR through Makefile build targets

Context

The test-simulation job was failing with Docker Hub rate limit errors despite authenticated pulls (toomanyrequests: You have reached your pull rate limit as 'thornode'). This happens because each CI run pulls ~11 Docker Hub images (6 compose services + build bases), and with retries + parallel pipelines, the account's pull quota is exhausted.

GitLab's Dependency Proxy acts as a pull-through cache at the group level. Once an image is cached, subsequent pulls are served from GitLab's infrastructure without hitting Docker Hub.

How it works

  • In CI: DOCKER_MIRROR is set to ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/ (e.g. gitlab.com/thorchain/dependency_proxy/containers/)
  • Locally: DOCKER_MIRROR is unset, so ${DOCKER_MIRROR:-} resolves to empty — no behavior change
  • Images with @sha256: digest pins (debian base images) are left unchanged since the dependency proxy doesn't support digest references

Test plan

  • Verify docker compose config resolves images correctly locally (DOCKER_MIRROR unset)
  • Verify CI pipeline passes with dependency proxy enabled
  • Confirm Docker Hub pull count is reduced in CI logs

Merge request reports