Allow pulling container images using personal access tokens

Are there points in the code the reviewer needs to double check?

This touches both authentication and authorization, so please double check the security side of it all.

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated
• API support added
  • Check if this needs additional changes to support
• Tests
  • Added for this feature/bug
  • All builds are passing

What are the relevant issue numbers?

Fixes gitlab-org/gitlab-ce#19219

/cc @ayufan

@zj I left some minor comments, questions. My largest concern is that we should probably split the scopes check for personal access token and oauth token, and make it more clear what belongs to which. After that, we might want to add some more tests making sure that DEPLOY_SCOPES is not leaking to the other token or authentication methods.

assigned to @zj

changed the description

marked the checklist item Changelog entry added, if necessary as completed

mentioned in issue #33261 (closed)

added 1 commit

• 0b81b5ac - Create read_registry scope with JWT auth

Compare with previous version

@zj It looks nice. I wonder what you think about my comments ;)

resolved all discussions

mentioned in issue #33357 (moved)

assigned to @ayufan

added 1 commit

• 9fcc3e59 - Fix test failures

Compare with previous version

added 1 commit

• 9fcc3e59 - Fix test failures

Compare with previous version

added 1 commit

• 9fcc3e59 - Fix test failures

Compare with previous version

added 1 commit

• 9fcc3e59 - Fix test failures

Compare with previous version

approved this merge request

merged

mentioned in commit 7adddf49

The instructions are highly unclear on how to actually use a personal access token once it's generated. I don't have intimate familiarity with the code base and even reading the code, I'm unsure of how to use this token in a .gitlab-ci file or in my repo settings.

Guys, could you please give a hint on what to do with kubectl after I've obtained a new Personal Access Token in my profile? I could not find anything on this in the GitLab docs, and the k8s ones are also confusing. It is suggested to call

kubectl create secret docker-registry regsecret --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

but this does not make sense, because there should be no need for username, email and password anymore. I'm expecting smth like

kubectl create secret docker-registry regsecret --docker-token=<your-token>

but this is obviously wrong.

Could you please help?

UPD: also asked this in https://gitlab.com/gitlab-org/gitlab-ce/issues/19219#note_35662430 – there are a bit more people there.

UPD2: answer is here: https://gitlab.com/gitlab-org/gitlab-ce/issues/19219#note_35675482

mentioned in issue gitlab#10297