Anonymous read option for container registries
The internal registry is a great feature, and very easy to get set up for a single project's pipeline. As mentioned in gitlab-ce#18994, though, it cannot be used across projects in any convenient way. In fact, I believe it doesn't work at all for the following use case:
- projectA in group1 defines and pushes a docker image that is used as the runner image for other projects' builds
- projectB in group2 uses that docker image by defining it in
.gitlab-ci.yml
using theimage: <REGISTRY_ROOT>/group1/projectA
directive
In this case, the runner will always get a 403
response when attempting to pull the image before the build even starts.
Proposal:
Make a project-level configuration parameter to allow unauthenticated pulls from that project's container registry. This parameter would default to False, thus maintaining the status quo without user intervention. If set to True, however, it should...just...work.