Add predefined Dependency Proxy variables for current group
Summary
Previously, a user could be a member of a subgroup and use the dependency proxy at the top level group. With the implementation of Deploy Token support with the Dependency Proxy (#280586 (closed)), users must now be a direct member of the top level group with at least reporter access in order to pull images through the proxy.
This has specifically introduced some problems with regard to CI/CD usage of the Dependency Proxy in subgroups. If the CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX
, CI_DEPENDENCY_PROXY_USER
& CI_DEPENDENCY_PROXY_PASSWORD
variables are being used in a pipeline, jobs that were previously passing may now begin to fail if the executing user is not a direct member in the top level group.
However, if the subgroup is referenced in the Dependency Proxy URL, the member only needs to be a member of the relevant subgroup directly in order to use the Dependency Proxy. For example, if the top level group is foo
, and the subgroup foo/bar
, the Dependency proxy can be referenced as gitlab.com:443/foo/bar/dependency_proxy/containers/
in order for the subgroup member to utilize the proxy.
Proposal
Add an additional CI_DEPENDENCY_PROXY
prefix variables that reference the direct group a project is in. This way, users don't have to manually specify a the subgroup in the URL or override existing image prefix URLS in order to use the proxy without direct membership in the top level group.
Adds a new predefined environment variable for use with the dependency proxy.
$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX
is similar to the existing $CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX
, but the new variable uses the path of the direct namespace or subgroup that the project belongs to, whereas the existing variable uses the root namespace.
Documentation
https://docs.gitlab.com/ee/user/packages/dependency_proxy/#authenticate-within-cicd