GitLab CI 从私有注册表中提取 docker

Question

The situation

I'm currently working on a project where I migrate the CI environment from Jenkins to GitLab CI. To get everything working I've built a few docker containers that should serve as base images for the CI pipeline. These containers cannot be stored in the GitLab internal container registry and should be pushed to a Artifactory instance.

What I already did/tried

So far I got everything going by using Kaniko for the Docker builds and the resulting images are correctly pushed to the artifactory registry - so far, so good.

However I've now reached a point where I have CI-Jobs that should make use of previously built container-images as their base image, so they should be pulled from the artifactory instance, which serves as private registry.

example config

.docker-build-abstract:
  image: custom.kaniko.fork.from.internal.gitlab-registry:<tag>
  script:
    - |>
      echo "build container with image tag: ${IMAGE_TAG}"
      # kaniko default build..

# This job builds an image that is pushed to private registry.
docker-build-1:
  stage: "build"
  variables:
    IMAGE_TAG: some.nice.tag
    BUILD_ARGS: --build-arg foo=bar --build-arg bar=baz
  extends:
    - .docker-build-abstract

# This job should make use of the previously built image
other-job-1:
  stage: "build"
  image: docker.from.docker-build-1:<tag>
  script: #...

The Problem with this is that I cannot make use of DOCKER_AUTH_CONFIG variable in the CI-Settings that is proposed in the official docs . This is because (my understanding) when providing this variable in the project settings this would overwrite the default registry-settings ( CI_REGISTRY , CI_REGISTRY_USER , CI_REGISTRY_PASSWORD ) but I need to preserve the values behind these internal variables because some of the first jobs make use of Container-images that are only present within this private gitlab instance.

Is it possible to provide multiple auth-configs in the CI/CD Variable settings? And how would I reference the predefined variables in here since this important to keep the internal registry known?

I would imagine something like below (which is part of the kaniko pre-configuration), but cannot come up with a possible solution for this scenario.

{
  "auths": {
    "$PRIVATE_REGISTRY": {
      "username": "$PRIV_REGISTRY_USER",
      "password": "$PRIV_REGISTRY_API_KEY",
      "email": "$PRIV_REGISTRY_USER_EMAIL"
    },
    "$CI_REGISTRY": {
      "username": "$CI_REGISTRY_USER",
      "password": "$CI_REGISTRY_PASSWORD"
    }
  }
}

In my understanding the variables can be overwritten in the ci-configuration, but this did not work for me. Would this require advanced configuration of the ci-runner to achieve the desired behavior, like outlined here in the docs?

Really appreciate your help or hints!

Answer 1

You can in fact configure multiple credentials in the "auths" section above. That does work fine for us. But I don't think it will work via setting DOCKER_AUTH_CONFIG in the CI pipeline. I think we tried that once and it did not work. We configure it in the Runner configuration by setting the environment variable.

If you can't do that, another solution would be to run the docker login command in your CI pipeline, eg in the before_script section.