Persistent Deployment Tokens for allowing external services to pull of Container Registry images from outside GitLab (second iteration)
In order to deploy to external services, like Kubernetes clusters, we need to pull images from the internal GitLab Container Registry. The access must be permanent, and it is now possible using the
read_registry scope for PAT (#19219 (closed)). This is really good and solves the general problem, but it is related to a specific user and it gives access to all the projects the user is authorized for, that may not be the optimal solution if we want to use it on external services.
Let's find a way to restrict the access of the token to specific projects only.
Links / references
First iteration: #19219 (closed)
When you deploy your docker-based project to an external service, you need that this service can pull your container images every time it starts. Since the integrated GitLab Container Registry is the natural choice to store images, it could be leveraged also for distributing them.
By using a persistent deployment token, you can grant read access to the registry for selected projects.
Considering the previous discussion, I see two ways of doing this:
- create a deploy token (similar to deploy keys) that allows multi-project access and it's not linked to a specific user
- extend PAT
read_registryscope to include a list of projects we want to grant access to.
Probably the former is the best choice, even if harder to do: it is more flexible as it allows to bind a token to unrelated projects even if they don't have common users. Being unrelated to a specific user, it has no problem if the user's permissions are changed, as it should not affect deployment. Having #19219 (closed) will make user-related usage still possible for basic requirements.
It is also probably simpler to understand and to manage from an UX perspective, and it can also scale well as a group-wide setting.
changed title from Deployment tokens to fetch container registry images (second iteration) to Persistent Deployment Tokens for allowing external services to pull of Container Registry images from outside GitLab (second iteration)Toggle commit list
changed the descriptionToggle commit list
Very much look forward to this. It will be very helpful and makes a ton of sense. I am thankful that we at least have the PAT to work with in the meantime.