I have a gitlab group that holds projects that in turn only contain a single Dockerfile.
So gitlab.com/my_fancy_group contains
- gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1
- gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_2
I am trying to push docker images from each project to its parent group container registry so that it is easier to pull them. So pulling would be
docker pull registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:latest
docker pull registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_2:latest
And it would be as if adding an image file to the group’s container registry.
I have created a deploy token for my_fancy_group that has write_registry scope.
I have added this as a masked variable (user: DEPLOY_USER, pass: DEPLOY_TOKEN) in my_fancy_group as well in order to be able to use it in the projects.
Now in my .gitlab-ci.yml I will run:
- echo $DEPLOY_TOKEN | docker login -u $DEPLOY_USER --password-stdin registry.gitlab.com/my_fancy_group
Which will return
Login Succeeded
After I run these commands
- docker build -t registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:$CI_COMMIT_TAG .
- docker image push registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1:$CI_COMMIT_TAG
And I get the error
The push refers to repository [registry.gitlab.com/my_fancy_group/amaze_project_to_build_docker_image_1]
...
denied: requested access to the resource is denied
I have tested that the image is built ok with a docker run in between build and push
I have tried:
- Logging in registry.gitlab.com again with the Deploy Token, which succeeds but the docker push fails as well.
- Using a different name to amaze_project_to_build_docker_image_1 in case there is some sort of name clash. Docker push fails
- Pushing to registry.gitlab.com/my_fancy_group:$CI_COMMIT_TAG. This succeeds but does not achieve the desired functionality.
It looks like the deploy token will only allow images such as
https://registry.gitlab.com/my_fancy_group:$CI_COMMIT_TAG
Is there a way to do this? Or should I stick with separate projects? I guess that in the end it would be the same and I am just nitpicking.
Relevant documentation and posts:
https://gitlab.com/gitlab-org/gitlab/-/issues/23315
https://docs.gitlab.com/ee/user/packages/container_registry/#image-naming-convention
https://www.reddit.com/r/gitlab/comments/ft2dbk/allowing_runner_to_push_to_container_registry/