diff --git a/docs/usage/docker.md b/docs/usage/docker.md index 973802c3c561b85ce7671e6dda0e7b58c1c97dcd..7f6bbd591177864008ab985109c390e12a52d386 100644 --- a/docs/usage/docker.md +++ b/docs/usage/docker.md @@ -427,23 +427,55 @@ If you have dependencies on Google Container Registry (and Artifact Registry) yo ##### Using short-lived access token / Gitlab CI / Google Cloud -Assume you are running GitLab CI in the Google Cloud, and you are storing your Docker images in the Google Container Registry (GCR). +For this example, assume that you want to: -Access to the GCR uses Bearer token based authentication. -This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. +- Run the GitLab CI in the Google Cloud +- Store your Docker images in the Google Container Registry (GCR) -The token expires after 60 minutes so you cannot store it in a variable for subsequent builds (like you can with `RENOVATE_TOKEN`). +###### Accessing the Google Container Registry -When running Renovate in this context the Google access token must be retrieved and injected into the `hostRules` configuration just before Renovate is started. +Accessing the GCR uses Bearer token based authentication. -_This documentation gives **a few hints** on **a possible way** to achieve this end result._ +First, install the Google Cloud SDK. +Then get the token by running: `gcloud auth print-access-token`. -The basic approach is that you create a custom image and then run Renovate as one of the stages of your project. -To make this run independent of any user you should use a [`Project Access Token`](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) (with Scopes: `api`, `read_api` and `write_repository`) for the project and use this as the `RENOVATE_TOKEN` variable for GitLab CI. -See also the [renovate-runner repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner) where `.gitlab-ci.yml` configuration examples can be found. +###### Short-lived GCR Bearer tokens -To get access to the token a custom Renovate Docker image is needed that includes the Google Cloud SDK. -The Dockerfile to create such an image can look like this: +The GCR Bearer token expires after 60 minutes. +This means you can _not_ re-use the token in a later build. + +Instead, _before_ Renovate starts in the GCR context, you must: + +1. Fetch the Google access token +1. Inject the token into the `hostRules` configuration + +The following text explains one way to fetch the token, and inject it into Renovate. + +###### Basic approach + +The basic approach is: + +1. Create a custom image: fetch the GCR token, and inject the token into Renovate's `config.js` file +1. Then run Renovate as one of the stages of your project + +###### Independent runs + +To make the run independent of any user, use a [`Project Access Token`](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html). +Give the Project Access Token these scopes: + +- `api` +- `read_api` +- `write_repository` + +Then use the Project Access Token as the `RENOVATE_TOKEN` variable for GitLab CI. +For more (`gitlab-ci.yml`) configuration examples, see the [`renovate-runner` repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner). + +###### Create a custom image + +To access the token, you need a custom Renovate Docker image. +Make sure to install the Google Cloud SDK into the custom image, as you need the `gcloud auth print-access-token` command later. + +For example: ```Dockerfile FROM renovate/renovate:38.52.3 @@ -452,8 +484,10 @@ FROM renovate/renovate:38.52.3 RUN ... ``` -For Renovate to access the Google Container Registry (GCR) it needs the current Google Access Token. -The configuration fragment to do that looks something like this: +###### Accessing the Google Container Registry (GCR) + +Renovate needs the current Google Access Token to access the Google Container Registry (GCR). +Here's an example of how to set that up: ```js hostRules: [ @@ -464,7 +498,12 @@ hostRules: [ ]; ``` -One way to provide the short-lived Google Access Token to Renovate is by generating these settings into a `config.js` file from within the `.gitlab-ci.yml` right before starting Renovate: +One way to give Renovate the short-lived Google Access Token is to: + +1. Write a script that generates a `config.js` file, with the token, in your `gitlab-ci.yml` file +1. Run the `config.js` creation scrip just before you start Renovate + +For example: ```yaml script: