Add docker credentials to `default_namespace` on referenced GitOps projects
Release notes
The GitLab agent for Kubernetes allows deploying from GitLab following GitOps practices. To retrieve a container image from a private GitLab registry, platform engineers need to add the docker credentials to the cluster before deployments are authorized. Until recently, these credentials could be project- or personal access tokens or the CI_JOB_TOKEN
. We are expanding the agent-based integration with the automatic creation of docker credentials in the cluster.
The docker credentials are added to the default namespace specified in the agent configuration project for every project under either the gitops
or ci_access
configuration keys.
Problem to solve
As a Platform Engineer, in order to deploy from GitLab container registry to Kubernetes clusters, I need to set up the docker credentials in the cluster to authenticate against the GitLab registry.
Proposal
Automatically provision deploy tokens at the group or project level (as configured on the agent side). The tokens should be valid for the valid configuration time and should be rotated automatically.
By default, the tokens should be generated for every project/group that is
- the agent configuration project
- shared with an agent for CI or manifest access
By default, the tokens should be deployed to the default namespace configured for the given group/project. Additional namespaces can be added, and the default can be removed.
Ideas
As we are speaking credentials here, the scope can quickly grow very large. At first, we want to keep it minimal, it might still be worth a thought experiment to think about a full-featured output.
registry_access:
enabled: true # this is the default value
namespaces: # which namespaces should receive the credentials
- <default namespace> # this is the default value
- test-* # pattern matching
valid_for_time: 5m # at every sync