Deprecation - Support for registration tokens and server-side runner configuration parameters in `gitlab-runner register` command
For guidance on the overall deprecations, removals and breaking changes workflow, please visit Breaking changes, deprecations, and removing features
For a high-level overview of the changes and how to proceed, please visit https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
Deprecation Summary
The support for registration tokens in the command to register a runner, gitlab-runner register is deprecated. It has begun accepting Runner authentication token in %16.0 in place of registration tokens. The plan is to enable the enforce_create_runner_workflow feature flag by default in GitLab %17.0 so that registration tokens cannot be used to create runners. The enforce_create_runner_workflow feature flag is planned for removal in %18.0, together with support for registration tokens.
NOTE: The following notice displayed by GitLab Runner 15.6 when registering a runner is out of date:
WARNING: Support for registration tokens and runner parameters in the 'register' command has been deprecated in GitLab Runner 15.6 and will be replaced with support for authentication tokens. For more information, see #380872 (closed)
The register command will be preserved with some changes, which should limit the impact to users.
High-level overview of changes
As a result of the Next GitLab Runner Token Architecture effort, we are in the process of deprecation runner registration tokens and favoring an alternative process. The new process consists of (1) creating a runner directly in the GitLab UI, (2) getting an authentication token in return, and (3) using that authentication token in place of the registration token. This has added benefits including preserving ownership records for runners, while minimizing the impact on users. Reusing the same authentication token across multiple runners (commonly in an auto-scaling scenario where a runner manager spawns a runner process with a fixed authentication token) is supported through the addition of a unique system ID. This ID is generated once at the runner's startup, persisted in a sidecar file, and sent to the GitLab instance when requesting jobs. This allows the GitLab instance to display which system executed a given job.
The new registration process is expected to become available in %16.0, and the legacy registration process will be available side-by-side for a few milestones before the being sunset through a feature flag. Removal is planned for %18.0.
graph TD
subgraph new[<b>New registration flow</b>]
A[<b>GitLab</b>: User creates a runner in GitLab UI and adds the runner configuration] -->|<b>GitLab</b>: creates ci_runners record and returns<br/>new 'glrt-' prefixed authentication token| B
B(<b>Runner</b>: User runs 'gitlab-runner register' command with</br>authentication token to register new runner machine with<br/>the GitLab instance) --> C{<b>Runner</b>: Does a .runner_system_id file exist in<br/>the gitlab-runner configuration directory?}
C -->|Yes| D[<b>Runner</b>: Reads existing system ID] --> F
C -->|No| E[<b>Runner</b>: Generates and persists unique system ID] --> F
F[<b>Runner</b>: Issues 'POST /runner/verify' request<br/>to verify authentication token validity] --> G{<b>GitLab</b>: Is the authentication token valid?}
G -->|Yes| H[<b>GitLab</b>: Creates ci_runner_machine database record if missing] --> J[<b>Runner</b>: Store authentication token in .config.toml]
G -->|No| I(<b>GitLab</b>: Returns '403 Forbidden' error) --> K(gitlab-runner register command fails)
J --> Z(Runner and runner machine are ready for use)
end
subgraph current[<b>Current registration flow</b>]
A'[<b>GitLab</b>: User retrieves runner registration token in GitLab UI] --> B'
B'[<b>Runner</b>: User runs 'gitlab-runner register' command<br/>with registration token to register new runner] -->|<b>Runner</b>: Issues 'POST /runner request' to create<br/>new runner and obtain authentication token| C'{<b>GitLab</b>: Is the registration token valid?}
C' -->|Yes| D'[<b>GitLab</b>: Create ci_runners database record] --> F'
C' -->|No| E'(<b>GitLab</b>: Return '403 Forbidden' error) --> K'(gitlab-runner register command fails)
F'[<b>Runner</b>: Store authentication token<br/>from response in .config.toml] --> Z'(Runner is ready for use)
end
style new fill:#f2ffe6Breaking Change
- Yes
Affected Topology
N/A - This change is specific to GitLab Runner.
Affected Tier
- Free
- Premium
- Ultimate
Checklists
Labels
-
This issue is labeled deprecation, and with the relevant ~devops::,~group::, and~Category:labels. -
This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.
Timeline
Please add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
14.8, 14.9, 14.10, 15.0–14.8is the third milestone preceding the major release):-
A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. -
Documentation has been updated to mark the feature as deprecated.
-
-
On or before the major milestone: A removal entry has been created so the removal will appear on the removals by milestones page and be announced in the release post. - On the major milestone:
-
The deprecated item has been removed. -
If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
-
Mentions
-
Your stage's stable counterparts have been @mentionedon this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.- To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams - If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers - If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
Your GPM has been @mentionedso that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.