Add masked CI_REGISTRY_HASH variable to ci variables.

Problem to solve

I'm missing a masked variable called CI_REGISTRY_HASH. It would've been defined like this:

export CI_REGISTRY_HASH="$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)"

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)

Further details

I'm using docker executor and I'm writing gitlab-ci.yml. I want to have two stages there.

First builds the registry image and uploads it and the second which runs tests on the built image from the registry.

stages:
  - build
  - test

build:
  stage: build
  services:
    - docker:dind
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build .
    - docker push $CI_REGISTRY_IMAGE:latest

test:
  stage: test
  image: $CI_REGISTRY_IMAGE:latest
  script:
    - sh run_tests.sh

The problem is how to pass credentials to runner so the runner would be able to download $CI_REGISTRY_IMAGE:latest in the test stage.

Note that I don't want runners to have permanent credentials to download images.

Proposal

My ideal solution would be to override DOCKER_AUTH_CONFIG env variable. But to do this I need to have CI_REGISTRY_HASH defined. So I could do:

variables:
  DOCKER_AUTH_CONFIG: "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"${CI_REGISTRY_HASH}\"}}}"

This would allow runner to access images from this repository. And because according to doc (https://docs.gitlab.com/ee/user/packages/container_registry/#authenticating-to-the-container-registry-with-gitlab-cicd) CI_REPOSITORY_USER and CI_REPOSITORY_PASSWORD are temporal the CI_REPOSITORY_HASH would be also temporal. So after the job finishes the runner looses the credentials.

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Core

Links / references