Persistent deployment keys/tokens to fetch registry images outside of GitLab
Description including problem, use cases, benefits, and/or goals
Right now, if we want to deploy containers using Gitlab registry, we have to create a specific gitlab user so the docker daemon can login to the registry, and then pull images.
It's a complicated process to maintain pseudo-users for deployments purposes (think repudiation, ...), and it's complicated to handle registry rights to limit deployment users to pull-only or to specific groups / projects.
Gitlab have a deploy keys (per project or global) feature for SSH "pull-only" git deployments, I suggest o have the same for registry login.
Proposal
Add a deployment token creation with read-only access to the registry, easy removal / repudiation, and project or globally scoped, like we have deployment keys.
First iteration
First iteration is extending PAT with a new scope read_registry
that allows to access registry images respecting user permissions.
Design
Links /references
Second iteration: #33610 (closed)