Gitlab CI pulling from Gitlab Container Registry when logged in breaks pulls from same project when logged in user has no access
This is a bit of an odd one and I'm not really sure if it's really a bug or a feature request so I've dispensed with the template here.
We've just started using the Gitlab Container Registry for managing some CI only images (we're using AWS' ECR for deployable images to production) and I've ran into an odd situation.
We had one project pushing an image (imageA) to its own project namespace and then using it as part of a service in a following stage which works really nicely without needing to login at all on the runner to be able to access the image presumably because it's in the project's namespace so the job doesn't need anything.
We then had a requirement for a project to be able to pull a shared Docker image (imageB) from another namespace which failed without logging the runner in. Creating a user with a read_registry
token, adding them to the project with the shared Docker image in the project's namespace and then running docker login -u docker -p ${APITOKEN} registry.gitlab.example.com
then allows the runner to pull the image nicely.
Unfortunately as soon as I ran the docker login
command it broke the first set of tests as they were now unable to pull imageA as a service. Running docker logout registry.gitlab.example.com
then allows for imageA to be pulled again by the first job but then obviously breaks the pulling of imageB
in the second job.
Adding the user that is logged in via docker login
to the first project fixes things so they work in both projects but it's less than ideal to have to do this (and seriously confusing when it worked without it before).
Ideally it would be good that if pulling an image in the project's namespace it still injects whatever creds it's using when you haven't logged the user into the registry so that would naturally override the logged in user and makes sense as this is what you'd have if you hadn't bothered to login anyway.