Security releases don't push to the canonical GitLab Runner Docker registry causing discrepancies for internal products and users
When creating a security release, the pipelines are ran in the gitlab.com/gitlab-org/security/gitlab-runner
project. For example, in this pipeline https://gitlab.com/gitlab-org/security/gitlab-runner/-/jobs/1838814282 we can see that we push to the following registries:
public.ecr.aws/gitlab/gitlab-runner-helper
gitlab.com/gitlab-org/security/gitlab-runner/gitlab-runner-helper
hub.docker.com/gitlab/gitlab-runner-helper
This creates an issue for anyone following the public DockerHub repository since by default GitLab Runner pulls helper images from the canonical GitLab Docker registry gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper
resulting in the following errors:
The easiest workaround is to use FF_GITLAB_REGISTRY_HELPER_IMAGE
in order to pull the helper images from DockerHub
We should fix this behavior so it's more consistent for everybody using or Docker images and Docker image-based executors.
Our options are:
- Hardcode the canonical registry instead of using the project's registry: We don't really use the
security
registry anyways and this will be the easiest change. - For security releases push images only to
gitlab.com/gitlab-org/security/gitlab-runner
: This will be consistent in terms of Docker images, but inconsistent in terms of other packages we release, e.g.deb/rpm
. It will also require a bit more work.
@gitlab-com/runner-group I would appreciate it if you could weight in on the matter
Additional info:
Internal discussion in Slack: https://gitlab.slack.com/archives/CBQ76ND6W/p1638384640015300 Related to gitlab#346954 (comment 750855350), #28728 (closed)