Persistent Deployment Tokens for allowing external services to pull of Container Registry images from outside GitLab (second iteration)
Description
In order to deploy to external services, like Kubernetes clusters, we need to pull images from the internal GitLab Container Registry. The access must be permanent, and it is now possible using the read_registry scope for PAT (#19219 (closed)). This is really good and solves the general problem, but it is related to a specific user and it gives access to all the projects the user is authorized for, that may not be the optimal solution if we want to use it on external services.
Proposal
Let's find a way to restrict the access of the token to specific projects only.
Links / references
- First iteration: #19219 (closed)
- HTTPS based deploy keys (deploy tokens): https://gitlab.com/gitlab-org/gitlab-ce/issues/20845
Documentation blurb
When you deploy your docker-based project to an external service, you need that this service can pull your container images every time it starts. Since the integrated GitLab Container Registry is the natural choice to store images, it could be leveraged also for distributing them.
By using a persistent deployment token, you can grant read access to the registry for selected projects.