Skip to content

option to define access to the container registry

Description

Currently you can either enable or disable the Docker registry. It is currently not possible for a public project for which the git repository is restricted to members only, to have a Docker registry that is also members only.

Proposal

Add an option "Registry"under Settings -> Project Visibility, just underneath "Repository" with the options Disabled, Only Team members and Public.

Overview

Why should someone use this feature? If you have closed source or non-free software you don't want to make either the source code or the derived Docker image available to the public. But that should not resist you in sharing the Docker images with your team mates. Even making the project completely private still exposes the registry.

How do you use this feature? I'm developing a php website which is not suitable to be open sourced. I do want to have a public issue tracker, so the visiblity of my project is set to public, but the git repository is set to member only. With Gitlab CI I create a docker image of my code. I would like to have my web server (which may login with my credentials) be able to pull from the gitlab registry.

Feature checklist

Make sure these are completed before closing the issue, with a link to the relevant commit.

Implementation

  • Create the new column project_features.container_registry_access_level - !54831 (merged)
  • Background migration to move values from projects.container_registry_enabled to project_features.container_registry_access_level. This needed to be rescheduled a couple of times.
  • Cleanup migration - !56626 (merged)
  • Modify project policies to check project_features.container_registry_access_level instead of projects.container_registry_enabled - !55071 (merged)
  • Ensure that all locations where we check if the container registry is enabled should be changed to check if the container registry is enabled for the current user/actor.
  • Update code to write directly to project_features.container_registry_access_level. This does not include APIs, so that users cannot yet set container registry visibility to private. - !62663 (merged)
  • Update specs to consider that container registry visibility can now be independent of project visibility. - !65831 (merged)
  • Update the APIs (internal, public) to allow users to write to project_features.container_registry_access_level. This will allow users to set container registry visibility to private.
  • Update our settings UI to have a dropdown allowing users to set container registry visibility. - !55079 (merged)
  • Add additional documentation - !67413 (merged).
Edited by Tim Rizzi