Create Project Deploy Tokens to allow permanent access to repo and registry
What does this MR do?
Create project-based deploy tokens, to allow permanent access to repository and registry images.
Are there points in the code the reviewer needs to double check?
Ensure there aren't any loose ends regarding the implementation of Project Deploy Tokens
Why was this MR needed?
When a project is deployed to a Kubernetes cluster, it relies on a Docker image that has been pushed to the GitLab Container Registry. Kubernetes fetches this image and uses it to run the application.
If the project is public, the image can be accessed by Kubernetes without any authentication.
If the project is private/internal, the registry requires credentials to pull the image. This is actually addressed by providing CI_JOB_TOKEN
as the password that can be used, but this token is temporary and no longer valid as soon as the deployment job finishes. This means that Kubernetes can run the application, but in case it should be restarted or executed somewhere else, it cannot be accessed again. This creates problems if the deployed application is something that should be available for a long term (e.g., production deployments).
By having project-based deploy tokens we can avoid the latter situation.
Screenshots (if relevant)
Deploy tokens section (with no active tokens)
Deploy tokens section (with active tokens)
Revoke modal
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Frontend -
Has been reviewed by Backend -
Has been reviewed by Database
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together -
Internationalization required/considered -
End-to-end tests pass ( package-and-qa
manual pipeline job)
What are the relevant issue numbers?
Closes #31591 (closed)
To do
-
Display new deploy token, if it's created -
Implement revoke
modal -
Return deploy token data, if error -
Feature specs -
Fix js problem or open an issue about it -
Implement backend logic for read_repo
-
Implement backend logic for read_registry