This document outlines the process and results of configuring Docker authentication for GitLab CI/CD runners. The objective was to test various authentication scenarios across multiple groups, subgroups, and GitLab instances to ensure smooth authentication and pipeline execution.
Initial Configuration
The following setup was implemented on the kistembd VM for GitLab runners:
Docker authentication was set up within the [[runners]] configuration using the DOCKER_AUTH_CONFIG environment variable:
This configuration allowed the runner to authenticate and push/pull from Docker Hub using stored credentials.
Test Cases and Results
Test Case 1: Single Group Authentication
Objective: Verify that a runner configured with a group token can push and pull images from multiple repositories within the same group.
Setup:
A runner was configured with a group token for mbd_outreach.
Pipelines were triggered for presentation-platform and presentation-platform-1.
Result: ✅ Passed. Both repositories successfully pushed and pulled images using the same runner and token.
Test Case 2: Cross-Group Authentication
Objective: Test authentication failure when using a token from Group 1 in a runner for Group 2.
Setup:
Group 1: mbd_outreach
Group 2: gitlab_credential_test
A token from mbd_outreach was added to the runner for gitlab_credential_test.
A pipeline was triggered in gitlab_credential_test.
Result: ❌ Failed. Authentication failed as expected since a token from mbd_outreach cannot authenticate in gitlab_credential_test.
Test Case 3: Subgroup Authentication Hierarchy
Objective: Validate the inheritance and limitations of authentication tokens across subgroups.
Setup:
Group 1: mbd_outreach
Subgroup 1: outreach_1 (Runner configured with token_outreach_1)
Subgroup 2: outreach_2 (Runner only inherits the group runner if active)
Results:
✅ outreach_1 pipelines always succeeded.
✅ outreach_2 pipelines succeeded only when the group runner for mbd_outreach was active.
❌ If no active runner was present in mbd_outreach, outreach_2 pipeline failed.
Test Case 4: Shared Runner Authentication
Objective: Verify if two subgroups using the same runner and token can execute pipelines successfully.
Setup:
Both outreach_1 and outreach_2 inherited Runner 1, which was registered with token_outreach_1.
Result: ✅ Passed. Both subgroups successfully executed pipelines using the shared runner and token.
Test Case 5: Multi-GitLab Instance Authentication
Objective: Ensure runners on the same VM can authenticate to separate GitLab instances simultaneously.
Setup:
Two GitLab instances: git and git-ce
Group 1 (git): gitlab-credential-test, Runner1 with Group1 credentials
Group 2 (git-ce): gitlab-credential-ce, Runner2 with Group2 credentials
Pipelines triggered simultaneously in presentation (Repo1) and presentation-ce (Repo2)
Result:✅Passed. Both pipelines executed successfully without authentication conflicts.