Does the Gitlab TCP traffic actually go through Traefik?

The following lines in the Gitlab docker-compose.yml file imply it directly uses docker to route the port 2222 traffic to the Gitlab container.

  gitlab:
    image: 'gitlab/gitlab-ce:latest'
    ...
    ports:
      - "2222:22"
   ...

If I am correct, you need to map port 2222 to 2222 on the Traefik container configuration.

Yes, that's right - the ssh traffic goes through traffic.

The "magic" is done by

      - traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`gitlab.domain.com`)
      - traefik.tcp.routers.gitlab-ssh.entrypoints=ssh
      - traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh-svc
      - traefik.tcp.services.gitlab-ssh-svc.loadbalancer.server.port=2222

and the GITLAB_OMNIBUS_CONFIG environment variable.

No, you bind port 2222 to the host in your gitlab docker-compose file. So the traffic goes not trough traefik. Yo need to bind it to the traefik container The traefik labels are useless if traefik has no access to port 2222.

I have submitted a pull request which aims to fix this. See #5.
The TCP router is now used. In my own (very limited) environment however, I have found that routing the TCP traffic this way has no added benefit. I do submit this request so that anyone who has an actual need to route the TCP traffic has a working example.

You can test this by shutting down the Traefik container. This will cause all ssh requests to Gitlab to fail.

I hope this will help someone.