Create Project Deploy Tokens to allow permanent access to repo and registry

What does this MR do?

Create project-based deploy tokens, to allow permanent access to repository and registry images.

Are there points in the code the reviewer needs to double check?

Ensure there aren't any loose ends regarding the implementation of Project Deploy Tokens

Why was this MR needed?

When a project is deployed to a Kubernetes cluster, it relies on a Docker image that has been pushed to the GitLab Container Registry. Kubernetes fetches this image and uses it to run the application.

If the project is public, the image can be accessed by Kubernetes without any authentication.

If the project is private/internal, the registry requires credentials to pull the image. This is actually addressed by providing CI_JOB_TOKEN as the password that can be used, but this token is temporary and no longer valid as soon as the deployment job finishes. This means that Kubernetes can run the application, but in case it should be restarted or executed somewhere else, it cannot be accessed again. This creates problems if the deployed application is something that should be available for a long term (e.g., production deployments).

By having project-based deploy tokens we can avoid the latter situation.

Screenshots (if relevant)

Deploy tokens section (with no active tokens)


Deploy tokens section (with active tokens)


Revoke modal


Does this MR meet the acceptance criteria?

What are the relevant issue numbers?

Closes #31591 (closed)

To do

  • Display new deploy token, if it's created
  • Implement revoke modal
  • Return deploy token data, if error
  • Feature specs
  • Fix js problem or open an issue about it
  • Implement backend logic for read_repo
  • Implement backend logic for read_registry

Port to EE

Edited by Kamil Trzciński

Merge request reports