Authenticating to Gitlab Docker Registry before starting the CI job

pcorpet · May 27, 2019, 7:43am

I have seen the doc to use a CI job token to authenticate to Gitlab Docker Registry https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html#container-registry
as well as the doc to pull an image from a private Docker Registry https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#define-an-image-from-a-private-container-registry

Now I would like to combine both and to be able to use the CI job token to pull the build image from GitLab Docker Registry and use a private image in the “image” field.

Did anyone manage do to that? I mean using CI_JOB_TOKEN instead of a personal user/token in DOCKER_AUTH_CONFIG.

ullrich · August 1, 2019, 12:43pm

Same here,

Our scenario:
We have one repository where we store the docker images that we use to run our CI tests. They get build and pushed to the gitlab registry in a CI job as well.

The runners in the projects shall use the images for their jobs, but are configured with docker:dind. To use the images they need to log in to the gitlab registry with a deploy key of the docker image repo.

eschutte · August 2, 2019, 11:44am

Just leaving this here in case the author finds a solution and is willing to share. I am too facing this issue.
I want to pull an image from a private repository for the CI Job to run in, but the error states that I have to do a ‘docker login’ before that. I cannot however, since this ‘docker login’ would then have to be done on the EC2 instance that is being spun up by our gitlab-runner (docker-machine+ssh).

ullrich · August 2, 2019, 12:33pm

Found the solution yesterday by setting DOCKER_AUTH_CONFIG. I’ll just copy paste what I wrote in our internal Readme:

To be able to use the images (i.e. registry.url:443/group/project/image:version) the CI runner needs to be able to pull the image from this repository (which is private). This can be done by using the DOCKER_AUTH_CONFIG CI variable.

The value can be generated by base64 encoding deploy key credentials for this repo: echo -n "deploy-key-user:deploy-key-secret" | base64
Set it in your client repos CI secrets as CI_DOCKER_AUTH_CONFIG and use it in the .gitlab-ci.yml as such:
  variables:
    DOCKER_AUTH_CONFIG: $CI_DOCKER_AUTH_CONFIG
For more info see: Run your CI/CD jobs in Docker containers | GitLab