feat: add support for ChainGuard registry access
Allow login to Chainguard using a long-lived token
This MR allows docker jobs to log into and pull from the Chainguard easily.
This can be done by setting CHAINGUARD_VIEWER: true. This will allow projects to pull from the Chainguard registry.
Once #28 is fixed, it will provide the CI job with viewer access to the GitLab Chainguard organization, to read SBOMS etc.
Documentation on the new feature
If your project uses Chainguard images, the Docker task can automatically log into the GitLab Chainguard account prior to performing the Docker build.
This allows images to be pulled from
cgr.devwithout the need to juggle credentials on a per-project basis.Currently, due to OIDC issue #28, a long-lived token is shared between all projects under the
gitlab-com/gl-infragroup on GitLab.com.Once the OIDC problem is resolved, these credentials will be removed and replaced with a tokenless OIDC authentication flow.
Enabling Chainguard
To automatically log into
cgr.devwith a pull-token, set the variableCHAINGUARD_VIEWERtotruein your docker job, as follows:.container_builds: stage: release variables: CHAINGUARD_VIEWER: true ...
Original Attempt
This approach has been commented out for now, until #28 is addressed.
Adds an OIDC configuration to log into the Chainguard registry.
This is helpful for Docker builds.
Based on the tutorial in https://edu.chainguard.dev/chainguard/administration/iam-organizations/identity-examples/gitlab-identity/
Claim Match created from CLI using:
$ chainctl iam identities create gitlab gitlab-com-viewer-branch --project-path="gitlab-com/*" --ref-type=branch --ref="*" --role=viewer
...
$ chainctl iam identities describe gitlab-com-viewer-branch
Identity "gitlab-com-viewer-branch"
ID: 4ff99450b6a0f33512acfbc4b797202f487bc975/59a0c8bfeacaf514
Location: gitlab.com [REDACTED]
Roles:
- gitlab.com: viewer
Type: Claim match
Issuer: https://gitlab.com
Subject Pattern: project_path:gitlab-com/*:ref_type:branch:ref:*
Audience: https://gitlab.com