Project deploy tokens to allow permanent access to repo and registry
Description
When a project is deployed to a Kubernetes cluster, it relies on a Docker image that has been pushed to the GitLab Container Registry. Kubernetes fetches this image and uses it to run the application.
If the project is public, the image can be accessed by Kubernetes without any authentication.
If the project is private/internal, the registry requires credentials to pull the image. This is actually addressed by providing CI_JOB_TOKEN
as the password that can be used, but this token is temporary and no longer valid as soon as the deployment job finishes. This means that Kubernetes cat run the application, but in case it should be restarted or executed somewhere else, it cannot be accessed again.
This creates problems if the deployed application is something that should be available for a long term (e.g., production deployments).
At the moment, the solution is to create a PAT (Personal Access Token) and to use this value as the secret to permanently allow access. This has a few problems:
- It is not automatically supported by Auto DevOps, so users must customize the template
- PAT is user-based, so this gives access also to any other project the user is authorized for
- PAT is user-based, so in case the user is disabled/deleted, it stops working
A possible workaround is to create a "service account" associated just with the project, and use a PAT for it. Even if it works, the flow is not easy to follow and requires manual steps. We should provide a better way to address the same problem.
Proposal
-
Create project-based deploy tokens, similar to our Deploy Keys. These tokens are available under Settings > Repository and can be managed only by Masters (add/view/revoke).
-
Define two possible scopes for the tokens (they can be extended later if needed):
-
read_repo
: allows read-only access to the repository (git clone
) -
read_registry
: allows read-only access to the registry images
UI for the settings page can be very similar to what we already have for Personal Access Tokens.