Use the GitLab API to set your project's Container Registry to public or private

Problem to solve

The GitLab Container Registry allows users to build, publish and share Docker images using CI/CD or the Docker client. The Container Registry, follows the privacy settings of the project itself. For example, if the project is public, the registry will be public and if the project is private, the registry will be private.

However, there are many use cases, where a customer wants to keep their code private, but the registry public. For example, if you are orchestrating a build process where you build docker images, store them in gitlab, and use a gitlab runner to deploy the image as a service to a docker swarm, the service will fail when migrated to a new node. The problem is that CI_JOB_TOKEN is very short lived, so it lives long enough for the initial deployment. But if/when any time passes and a different node in the swarm requests the image, the cached credentials (note --with-registry-auth was passed) have presumably timed out.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)

Further details

Use cases

• Keep the Container Registry public and the project private, to avoid having to explicitly login to Docker to pull images from the Registry.
• Keep the Container Registry public and the project private, to share images within the organization without risking users making unexpected/wanted changes to the code.
• Have a private registry and public project to prevent any unwanted updates to your important images.
• Typically, you may want to share access to code, but prevent access to images, if your images contain initial passwords, API keys, etc. that are used to deploy web services. E.g., these passwords may be provided as protected environment variables. Anyone who downloads the image would be able to read these passwords.

Implementation notes

This issue requires investigation and contains some unknowns. We will kick-off this issue as an investigation and then determine the feasibility of the implementation and solution after that investigation.

Proposal

Add a new GitLab API which will allow users to set and update their projects Container Registry to public or private so that they can manage the visibility settings independent of the rest of the project.

• The user should be able to set this at the project level.
• If it doesn't add complexity, we should consider adding project_id to give an extra set of controls.
• The visibility of the registry should be completely independent of the project. So you can have:
  • Public registry/private project
  • Public registry/public project
  • Private registry/private project
  • Private registry/public project

Permissions and Security

• This action should be limited to project owners/maintainers.

Documentation

• Update the Container Registry Documentation to include how to do this

Availability & Testing

• No foreseen impacts to availability
• We will need to understand and implement the best default setting for the registry.

What does success look like, and how can we measure that?

• Success looks like users have more control over the privacy settings for their projects.

Metrics

• Track number of projects where the Container Registry is set to public vs. private vs. protected
• Count number of update events of this project setting
• Understanding this data will allow us to potentially update the default setting in the future

Links / references