Gitlab 16: how it is going to work with tokens with expiry date?


According Project access tokens | GitLab

The ability to create project access tokens without expiry was deprecated in GitLab 15.4 and is planned for removal in GitLab 16.0.

so I would to know how it will be possible to create long-life token starting this release ?

For instance I need that for my kubernetes deployment to pull image containe from my private gitlab registry.


1 Like

same question.

one potential solution would be to regenerate the token and redeploy the app on a scheduled basis but being forced to do that would suck beyond belief.

what’s the proposed best practice for imagepull secrets?
if my helm chart in a deploy project needs to pull images from the registries of a half dozen projects what are the options?

create deploy tokens for each project, which has docker images in its registry, and copy paste the deploy tokens to each deploy project that needs to use them?

seems like a lot of work compared to making these registry image projects internal and using a long lived project access token or even a deployment user with a personal access token (which can read all internal project registries) the only problem is that the access token will now expire after a year, causing a bad day some time in the future when cluster autoscaler cycles a node and the new node can no longer pull images because the token expired.

i am all for rotating secrets, but if they can’t be auto-rotated it’s sometimes not practical to force people to rotate these secrets on an arbitrary schedule for no real benefit.