Skip to content

Add namespace support for DOCKER_AUTH_CONFIG

Tobias Rautenkranz requested to merge gitlab-community/gitlab-runner:28073-auth-config-namespace into main
  • Please check this box if this contribution uses AI-generated content as outlined in the GitLab DCO & CLA

What does this MR do?

Add namespace support for DOCKER_AUTH_CONFIG

Allow configuring multiple private registries sharing the same hostname in the DOCKER_AUTH_CONFIG variable for the gitlab runner. Entries can have namespace or part of it in addition to the hostname. The most specific one will be used for the credentials.

Why was this MR needed?

I want to use multiple private image registries from the same host in GitLab CI. e.g.: gitlab.myhost.invalid/team1/project1 and gitlab.myhost.invalid/team2/project2 both need authentication credentials. To support this the credentials need to be looked up by their path and not just the hostname.

What's the best way to test this MR?

I have added tests for the namespace resolution to the test suite.

You can test the runner by creating two private gitlab repositories and pushing an image for later use. Add a token with with Role: Reporter and Scope: read_registry for both and set the DOCKER_AUTH_CONFIG variable in a third project with the respective paths and logins.

You can use the registries I have created. The DOCKER_AUTH_CONFIG is:

{
    "auths": {
        "registry.gitlab.com/tobiasrautenkranz/registry_1": {
            "auth": "cmVnaXN0cnlfMTpnbHBhdC1La3Y3bzgyeXZiaW1zNTNiUmtKMg=="
        },
        "registry.gitlab.com/tobiasrautenkranz/registry_2": {
            "auth": "cmVnaXN0cnlfMjpnbHBhdC1VUnppYXR6YzdlMkFmbmVWbnJLYw=="
        }
    }
}

and a .gitlab-ci.yml with:

variables:
  GIT_STRATEGY: none

test_registry_1:
  image: registry.gitlab.com/tobiasrautenkranz/registry_1/alpine
  script:
    - echo "done1"

test_registry_2:
  image: registry.gitlab.com/tobiasrautenkranz/registry_2/alpine
  script:
    - echo "done2"

Using the default gitlab runner the test_registry_2 job will succeed, while the test_registry_1 job will fail (to pull the image). (Since in the current code only the hostname is considered, the second entry will overwrite the first, leading to the observed success & failure job state)

Adding a runner with the code of this merge request, will allow both jobs to succeed.

What are the relevant issue numbers?

#28073

Edited by Tobias Rautenkranz

Merge request reports