Following the documentation:
To configure a runner with DOCKER_AUTH_CONFIG, we need to do the following:
[[runners]]
environment = ["DOCKER_AUTH_CONFIG={\"auths\":{\"registry.example.com:5000\":{\"auth\":\"bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=\"}}}"]
But if you do this in terraform, this means the Credentials/Token gets exposed to the statefile.
Using Kubernetes secrets seems not to be an option.
Is there a solution to avoid this, potentially use kubernetes secrets?
Don’t inject it into the runner config, rather supply it from protected CI/CD variables?
If I do that, then I need to change my .gitlab-ci.yml to add the registry in front of every image like:
image: registry.example.com:5000/namespace/image:tag
Isn’t there a solution to not add this and just have:
image: namespace/image:tag ?
Go to your project Settings → CI/CD → Variables
Create variables for things like the image url as well as login/auth tokens. And use those variable names in your .gitlab-ci.yml. Then you can have:
image: $REGISTRY/namespace/image:tag
Thank you for the quick response guys.
One additional question, with this solution, do I need to add $REGISTRY for the public images also or just my private ones? Because I want to avoid the pull rate limit from DockerHub, so I need the public images fetched from DockerHub to be done in an authenticated manner.
Cheers
You would use a $REGISTRY prefix if you want to use a pull through cache to manage image pulls from docker.io. Gitlab’ dependecy proxy contains the docs for this.
Otherwise, if you have a DOCKER_AUTH_CONFIG or explicit docker login in your job, you can just use the plain image names that you find on Docker Hub.
Hi @GreenZombie76,
Thanks for pointing out, I am familiar with the Dependency proxy solution though.
On the second point, the documentation says that if I put DOCKER_AUTH_CONFIG in CI/CD variables, then on the image: and the scripts: I need to add the registry in front. Which means I have to change my .gitlab-ci.yml file.
I wanted to avoid changing the .gitlab-ci.yml.
Are you saying that the documentation is not necessarily true? That if I put DOCKER_AUTH_CONFIG in CI/CD variables, both for image: and scripts: I do not need to add the $REGISTRY in front?
I suspect the documentation is conflating some ideas like authenticated registries are usually not docker.io.
The core idea is, the registry you provide auth for in your .docker/config.json / DOCKER_AUTH_CONFIG must match the registry implied by the image repository.
Docker, automatically, when given simple image names (without a domain) will prepend registry2.docker.io/library/ onto the image. (library is implicitly prepended for any repositories that don’t contain a slash. So alpine is actually library/alpine).
And this then matches the entry generated when you docker login without a repository.
Because this is all done by docker you don’t need $REGISTRY as a image prefix.