Share deploy tokens across groups? Or switch to subgroups?

jpotisch · July 22, 2022, 7:00pm

Hi there. We use GitLab.com to host numerous private repos for our organization. Let’s say they are organized like this:

/groupA
  /project1
  /project2
/groupB
  /project3
  /project4
/shared-stuff
  /project5
  /project6
  /docker-images

This is because groupA contains projects used for one side of our business, groupB contains another side’s, and shared-stuff contains projects that are used by both sides. I have gotten include to work between projects in one group, have set up group-level deploy tokens so e.g. project5 and project6 can share auth for container registry, etc. but am not sure if it’s possible, and if so, what’s the best way to unify authentication, registry access, etc. across all three organizations.

I’m trying to do this for two reasons:

Most of our repos use containers that I’m storing in /shared-stuff/docker-images in their pipelines for stuff like terraform, java, etc. I can create a deploy token in shared-stuff that all three groups use, but that means I’ll have to maintain three different deploy tokens, one for each group, and update my pipelines to make sure that when groupA projects access groupA stuff they use that token, and when they access shared-stuff they use a different one. It will also significantly complicate some pipelines, as they may need to authenticate with the shared token to retrieve the runner images, then with the group token to build and push that app, etc.
We deploy to Rancher, which lets you enter logins for your Docker registry. For each entry I can only provide the host, e.g. registry.gitlab.com, and not the path, so there’s no way for me to configure things such that it uses groupA’s credentials for groupA projects, groupB for groupB, etc.

This three-group setup is the structure that I’ve inherited. If migrating all three groups into a single subgroup completely solves these problems for us (I’m guessing it probably does and is probably how this should have been setup originally) and there’s no other simple way to do so, then I guess that’s what we have to do. e.g.:

/our-org
  /groupA
    /project1
    /project2
  /groupB
    /project3
    /project4
  /shared-stuff
    /project5
    /project6
    /docker-images

And then we just define everything under /our-org. I imagine that will be an enormous amount of work, so if anyone knows a way to avoid that lift and help me do this with what we’ve got today, I’d be much obliged!

Thanks in advance.