We use Gitlab CI/CD, building and deploying with runners on locally hosted machines and using the Gitlab container registry to store our Docker images. We log in to the Gitlab registry like so:
default:
before_script:
- "docker login -u \"${CI_REGISTRY_USER}\" -p \"${CI_REGISTRY_PASSWORD}\" \"${CI_REGISTRY}\""
This works fine with the runners in our deployment environments, which each only run a single job concurrently. However, our build machine is supposed to run multiple build jobs concurrently. The problem is, the ${CI_REGISTRY_PASSWORD} provided by Gitlab for each job is different and, it seems, valid only for that job. Thus, when we have multiple jobs running at once, their calls to docker login overwrite each other, causing other jobs to fail with authentication required errors.
Currently, we're working around the problem by performing a new docker login command before every docker push or docker pull to minimize the chance that another job will perform a login command of its own in between, but there's got to be a better way.
What is the recommended solution for managing Docker registry logins with concurrent jobs?
This sort of thing is best handled using a Deploy Token, it's exactly what it was intended for. This allows you to set a user, so you can tell the CI server was the one who pushed the container, and also set expiration for security reasons: