From 53e8f40aea19095187a2e50a23fe2a7391d3c06c Mon Sep 17 00:00:00 2001 From: Benjamin Date: Fri, 27 Mar 2026 13:20:33 +0000 Subject: [PATCH 1/4] Add ECIR project and robot account creation to the registry documentation --- docs/images/registry/CreateECIRProject.png | Bin 0 -> 11280 bytes docs/services/registry/working-with.md | 40 +++++++++++++++------ 2 files changed, 30 insertions(+), 10 deletions(-) create mode 100644 docs/images/registry/CreateECIRProject.png diff --git a/docs/images/registry/CreateECIRProject.png b/docs/images/registry/CreateECIRProject.png new file mode 100644 index 0000000000000000000000000000000000000000..9a7305102cb6e8000f025d7dbf200f63225b033a GIT binary patch literal 11280 zcmb_?bzGE9_xBRQ(%k|}iXh$HrII4ujdXW+w<2BAAt2qTbV_&k5>iX^E_bNU^ZfpN z_cOaY*UUL*&V0|rnK@UuqP#R3GBGj$06>$Kkx&Kz;7Or*Q6K{JHv?e-1^_@VwGbCq zlob~TDLUAiT3DF?05ajp9}rdEXyEuAc`|3f1Cf9-NSwH$d@%VzWD#fd^b|;#Kvsl+ z2ptV=e>_PE_=zW261dvQl%=`qpL1tEXQNaX73~{#hHUzFP=F78?;nI8(j7;pqu@{HgwMf8UOr%-p*H0|?Gd|2DE=lI?{{N+l4^fda@kZ3&^#NU(47W7CPi4|7=N zDSUm>%kxZ*1%Z7Phv+c4nhyZa_JKhT#?LBjj%c<8mjiv4#DsxWk4}on8^MN%DDsjn z&)pwsk4n^CK!{EqbVHLiXoYbwDXd}Oe&pbCIe{WUZc{%uFrEG! zgM4}?^DeWEPH}iGzmek2iw%WK1-p_#;dc@4A9a7eNq-)(@|rbkpOh|^DwTxed!LwI zV=PM~4)6DX*I8lD-!mb9*p_?mQB|12kWnG}o{Xlx5Si!XlD9aX^-VfsR3<|uqadZ- zT+b_;5B*)6mRMnT0)?m7{SXSOQ)Wv7hYiOXWvaW)n~sbMJ&>tF&tO#YbT@(9&FdS9 zzB?L?%oA;FrJ@Br&`IJvdkqzodh{!=Ah$|esKtWc=yL@B4uqMUujKG1Nbh5^lvZkG zs$bK;mK`$uJf=mfZ}&}LKm(P8fdmoIeFWZ!ck{GfV-nkw9p}Q*Or-Mouo`1QGJ@x4 zddB};O>RD=6EIo=*lFlbl&yJYy*`bk4}(OP(~d|if=CF!(f3!~0%-do9>c(Z;3Wch zJ_C+L=z9UmpW({@mZD^IfV567MRb=yL49%_AbOyx-P3f0?M@Rr(gg$z5n)1D<_@46 zMmGr9C5{`0U?I{Jhh>aDEApZj?ZiJI+l~(XWsow6l{!#WWIqSCh>$+CB->+$V299& zxCwYJ0?CFkC-i{x4#7%69XGI^AQ0U44v16&Jl#THcVv{H*WvG6{I8kuN`)tshAO(IMWkHR4 z(*0yTHoWVYC6cw2B{;=lQ0O(v){8A#QviFwRmdm(+Rt0+W-ky)BIP=nI=2j7Rn^Xz zf_cH#V9X0a^w2k7S?yzZe6^o4q18WC3!4wO?8@jmUqP_Xa}&^ovyE~69=g(a`NE6L z2k{=z2ImVW9P}Wg2-?B60=5OY1*CkAQG7Y0z$4or>h_Y5iXJCAZ1@`{WmZF!xDs+kh6N} zjoGUSc>P~c*-}o&E5skgFDujG8bu(|WF|mFY`3th!+t}i0%38 zN$#=ZwM0}!#3Jj_sF}p}6D5lhi?L_BkGXw0|3W;+JBLXsZT5rrjKc%w4%C_^lv|Sf zu8_FANu^foJm_6Jajt1uw-Qb_92!bn$%{F5sS8T*{of*L~eH9t<{f^T75?La=Y?P zP0ueC=F#u=&2KDTeQ`C<8uKa6D_GA-EO?XasBEVGpmXvQBWKa%mgP=({b4nSWz@ z$vI~;VRF`)V)4|drL$r3lITrFpTQOjNs2cuE{<#BciKtX`q%aaFUFn5GYY1M^w~XY zRBDiGEVn*41~!g*6}peS0KX{ISksuS@nG!5w~DliM2LiW#W?^PaDHF@zS5LrI3}yr z#AO<6t9qeISxQ`rI7L4NGqqnfU%ot(GJ9-AZ)G#9Y~^jOHeWZ}R>xkCGjmYgY^hL# zQMatWZ1FJJIVQR{y2AoC-$~g~-<=uAtr61*E<=%5f2L44Dc_SJ#LLfP#!K#UKmNUo zX3?a5poVvlH-MMZ5kco%r?KK~#hndmy+nQ1;`QSBLgV4&VXPpkz$IBNnZj%VnBxNG zfh9x zB%&ssvuPG>b#ryenMAw&W4u)ztS@1~ST|Hl(jHRyl0so@;R%w?QVf#MB&MZ(!+yp* zkJ*jQAZ=#5a7Z^zXQ^N$BPS=-BN65sFch-4;LkqwwadTneZ!nx!F{< z^u0{Y)NAD(nim9Z@}~;(85b0S)U8Z+&2&-|Nus?ngFLjVScQ=zOg}WfI4Q+`(@uD{ zs|Rjzn_t7S$o|5G)1RI-`(9EyEsuc>XBMN{->M!Q0gio@`{Aj^OC5S$50j6x)zJf) zTbEm4ofwT_t))gW+wXIDa165yrK+N(398N&T`h_-(-_Gm{Nkp01sTBf==YZCaaZ zlgifGI!%c6&pbyGQ+HA;TFY9`Yg22V)avbjbH2Ojf@GAtmQ^lS*0vYH*u-(7lFRVe z-DN{M>!c#POK58g0>oG1z@w*n*uIU9JjZt1SX1%cc~a60X%<6QjEV!*@8hQ?rta$+ z>N1UBdidsb=F)s?Z)*=5mVQRylst=&Pmtfryj_YPXZ3jLu(!FJG#;3N!cU$aF6g*# zH8XqY=)cXB4iWS%h+Les?>z7N897W4t7EA1t`%(8xEXPmyj6Okmex$#q*cMIYuSA0 z)Y@t$Khj5X$SuEo*5-bXzdf}%?`R8I2yb$%=gz5rV0t*L@yzwCJThA*_xxOdG5_H~ z@ycMAs$6=q{p0=A#L=j)VTb2R|9V&t27-Gav(L!w-GJgDPJiN$!X}0NtXTnmAuzw! z-BruBI5RbKx9--R=w04Pa$jklug9&s3AKyyPVLz_gge-lb7`uz#&epNnD2VWyZfdJ zv*6DZ^joz_de_N`L^#lH8`H^Qg+ex{ z;2$ehIHNU}4oCISO!jGYQF(IvhW6&Ned105ZA0my;Ngiw48nT_f>L9s_o`~5E^8_$ z2cU=MfdH6L3jjPc2X$xx#LzDQ0GAK~K!pBdL%$N)u>aP=lV-#Hn+J$K5{kYNmz9P7 zzcF$!F|lzpw{;>NPpN{6nzB$)cT$&o&1Yn5&17I~YiPpcW^MP#0uXTHgJ!KwoD4v2 z)>bx-d~Sl2e^Ky3^N+>Ml%T&zoGb+?)#VgH;;9zXZrz|1$ z4?FZpkkZ`A$&Qbi+11sR$(5bS*1?RKm6w;7nT3s+jg1jX!RY92<7D8*XyZurw~&A3 zNSHVpIat^^S=icu9_1Ps+B!Q4Qc^xP^y~Ato+fS018qZyi&Nk)^8cy$-QXXL>c1ITSvcAMWc{P+zggcpnmCBt zT0@(368deKf0+NQ{D)D1`LXAJAn`ZMf0aUU7D5(a{$(>EzQ$)bdOBF-85Eaq=wUjz;L=DPC8a7OadlPPdCgHgXEmqt$X3eSfYz!A z9T=;#hOif z(gF(;1`E?)8)vkAym1L8ni-Z7^iR4{$Y%0&#NQAmD_4Y<5c!`3B7iq`>V4uI{ror2 zFXkaX5hZ8KZ_#3ue^rjUA?+;hb~kgUegua3{gXIcVJC@6lg4uzg()@Lfng#>w2B`t zo4Q+=hUETeE&C^C(ZDOFU^R|R?}^v{mm-zG-kmtL`Qq=tME}l+tW$vU#Mft0h9v%w z`EPGdBK)Gz-D@*6qkgOPiV{AR-k?+a9d>7ltYd0IIJ!+)1+w zdTST+S(Ei@kp*&ocWoCIX8NfrHW;Wc*rG78|7C{3>U{zethN!*)Q$Tn3xU?J)1Vu| z#>2sKk&Yf}A1-KiMDxpllyMBu-fu*-bmRR+OerGsgbY1lOV+P-n<(xVMqwgMkKm*1 z5x;qampBf<`xIAs%&&uFRuL>X;`ayW4x-t!#H4HXkS((bIuc%od`9gC76Py%-xh}O zt^Nl+pGLv6QE}c3=?X;Oi&?XS+(@QsjT+NU4|-xf`1iyxG|}4c%+p@?cp#(>s#@g! zqiLKg{2pVxv4+OS)`$BWF8ehJ&%5(!>kQ|qs)M@uVGqcmHADFqD~9kF zA@A#%gT%Vn%b*6pp&ebXx%)E^RxuL2RWVp;(5P7yjI|>fMk?(bDts`i1 zJ+fh_Xvnp$n>C%PHW?^uE@nI`L$pIPU^5>D`3|6QFDS06ZVC9@y3M=HTQj6r4t+3r zuhESzbg6H9HVbXUa$GVQqV2lq9Aa-a#5w(iK-Vp&zpjbyzi0WCO!lx8Vizs~Dq$Q4 zk5$bOR~;12xoJILYu5$)Q1APz?K&tfbC6|UTRQi1Mm?XaPu{mbd+H`twI+-9->PbS zZ@XMW@x{n|5-qCe$M1RwPCjftYMWQs{f48!flAGP@a0XbynQIC%jc`pZ4xqg&iJ{L ziax@zIye2N&J#)(-6Xa%rIl^(+HX%HA=$;uM^T96UZX6jlS$%EF&|?-QjKgaG&-_# zj=BGy1CPrcbS7BBI#1Opl}N>s9Z;O_O%8;rYJ2Q{x<_M1CJo4y0efLCsgQf0jn#D% zTdFs^9Dp0vV``vwWz^=v)mkz>Jza}r_V|>Di8hB$$~S?}sJUTu+<3p_d31F{=6$BL z>;s;uy5~ne@9>ASUXSLkQ-875O62Bwe{pVAFiCb<=P< z%zsclz*KWSr8N>7!lHJKf_)+iZiOt}U&rtt?rfiLXEA9_8zOmkZk5#xpE#Ncz3pS| zdAi=p*&Ri+&Kpw40)*|MiWT?~+kAh$KTl+qZoqCj2>fvO%+sO&dEq51(ilj^zvapC zn!rgfRV-l$;&6@=6=8%r!+wZHz0D%{dcU&%uhy8GhC% zR!{&D)mT*M?(7Y@2OMIiQp)R8j_2AJSuCB26asJpW}neU`k;UuIfjg;*kMiaxgD<{ zd+$X4_k7vl_fKuzk{35R+34$gv_Ux@K0a+bj)VPbFadGDn}tQO@WUYch?^wiY%gi{ z#%UmBIAxT<3KZcBxv*Vn3vm|RY>8a+iq?y{KCV?_$cmD`5^QXw#dyKh&E3%Rtf10WC(5q$KqLT+CdjiB6|L=PVF%~YhlLZU^p_G5#fiHp-jPfrp66y;S2tw zmi6rcf(v%7-Pszm>gN=kh-7a1Qp4aQQAE;>9&~QG6qe3Q3P>+>r0he&&#T_wUCfVg z-|UrET7A%Qkv&hn|%I2 z2UZZi`vR#39l>F@a234%n83lK?Ks4_loCK0xgscXA5oO;maBeRaJ%3*60KX}6lEXM zX!rsNnJ=1!QeqY>q*KdF04Ig~pt5O?ewjSNj)iAM2e6F7)Q}wjt8Jn0y0-a2Prj~G zF(79(>*2QWpk_p9Nna7~XyX2uxC0nK03!v2U+*!?^4^O5=_J}a;s+6}>&k?uAdpm1 z=3S@ouYzm**-g^Q8u5-4h{r!u>g2HGzU}T~M^g`<&T0c9)Wyua(zoNe+DH^+Kotgh zcCz~!1b(Ipa_(YxgTG3=rupwh6Y3Xb2$CumVB(gpt*z0=%VqF!7S9+)0sCl_`eonu zYTc*=c6=w$13QYv5v)yV+17s0_2^UU1!2J1u0su~A-r`mz?@aqA(9LyhOM}wl#R5w z!qZ#7>_dV+?vwi>qy*va1_H@Mb9NEkWVl51sfrgSUd!^c$9XW zU}>-rd7svbrr)N#c8aY_HV%3=TSvwglWf3n0hW>bTpEl_XUUveZYHbAXPPjx;A3Lj zK^JeWUibKL*AppM5xQ^Cy(>)s&qS0>67>zm#8#X*y6mCeNk|gh<=40fy3X+cGql*i zqI?JRWIC3Y!4etA4Od%ftxEoFEKB*w-2_3~^iQD+&s^5m#MSLAU-^(TyM$v*FY}%JdjqscHZqM;`Iq&DMtna^~Kd)ZCkD3qb zAz-X!ov8Y~cyQ3bI&<+^Rei@_dYi#LL_Jtq@{Q`HR$NgjZ`G-&(A5TxmO(IHmzw2x zf!s+-{Rkmx361~)a34f2Y7PHMNG24Wv?~X~)iF*1L_&Y_WF(*nvpTLkJEi&p6Tiz< z0720&Z(qK?B0J6~T_iv>)JQ;H@q%^F7`s31WQy!7x-Jn#D2y(h$|z7OY-m#;Yu~LgwuJ7LoVQ9sM) zlU706q(t_u6O#e--|ZG=9WFu)f>{0g@s!qkbX*rrL>n>I5p3bHrE>|_{5tTqIqZx95pAt!{GqPAga0w(!9j#~=3K znK8u7dJ{!up6naR6({g9N#Ua+2FXa!P%lOin?NtMGdfNqLM4H*AnqrtjBY0#f6xRx0psJ?^#BTZBFYhsvsNR#50ZaUyH{mCj3H{wlhu?I$a#l=A4>e zVwMIRa71Scw7H;ofL-o86>*SF;wS-tT4rNCh%OT+Z;_GdZ0p2 z+mw^Yo4z}dO;lVPRPH>f=$Ca}enI)`8CFTFfILY|0a8qQyP&qNTBj_Pd!F6=M6Y0+ zsk9-%Gx1HdAc=TFMNCw3LM2QwY2_zh(ZXM2^%om%=)Vp^2H8n9xg6{XUr9C~1lR|@ zBp?ixQ4SBXqnbf93T@BUqa2k0YJc|4;pVvo=Z;U2e;Ji0)G-Y_WU66gQa4||v#OIH zNI7Uyx_*e(|7>2yc2VxYzd`SdD`^4Pw!AT0-_8?|CIY@kT*$IhCWLWQg^;_$YF z4K*K<=D+#D7@?x5Jgi(HM~(1qKV5cpT9!?X05@)D_OY@^#gU6s!penrWNK006WC7- zeNrVJ%lpaGajAH?2E0B>H+P)&qfEPq#eR^wFC}>ievnEgTt(=$eug_sF#TZ$to0In z$M6b_N@$xy^K3e4=7np<%@UEWq0St289qjah7|#MiuuTP6v->A#9Ex`DQy~4 zg$z9_z2&3^NbNu*JF#f)`X@3RWKkK3ZBCp!Q%#ia(0K(X%SNWE_X>;Y(!3bqMJ<9Y zGqik1aiG~j`{-nxeSPaPa{OoDO!d=`o_HRnXZ7W$OgU(}9N-7E{=k@URJZ+bF+y1l%#m_j>ODw)6xcWgCP5Nstfp^;)v5LMSL%Z1`DOdiZ9!Ji%-GX6m>y1($Lq7`n`*}?`e9Z@~f!p9IhHfiff-8>R z=ieMN0_U5@*O*@PSw*o+VaABMbz5fjSZ{8oOLxKqyGTI3J^0k=a+`8rFjwQfXZ2jv zdDy#YD6dUL*=zviG$`EWFSKQ*5oV332{YF>w(}`a7P`igXj^GD9fuJeX7=fQFZbS0 zS#*3C9}kyHyH>K&q}*`Z{>)yjpmss{^UTGr<_a21WmDsidyx;8YkJR^Sp~}GC`}pF zWSo+Qp0W-`wbNC_*!o7?w4i+^^svhzt$CFr_mK!t7%S z!go!us2(>Pu8TRCGj2-15QxC*!*#ED>V1<|!P-co81VCb5eCIY<^sGZaQPCt2en8` zmM9a?O>E*g5k5U;E2`u)<|h~9S0^U}j@26Q05h=&y^d)=3VC~+lnbxYZcG=w)R*FU zlEXyE$|g&H^!k8DVYc5N4)K~cikuNibJF|V9!-3rOrz%3BXa^T?zK)1D$PDCmAaN8+#vWRtE;YZW4*yOJl;&GFpT5R%PmJ8pLWV*J)1;&6 zy%bWI(F1dZWs{|7^FbhqMPjA=_~g@fu7l`O-v%vfD>+Gb@nRc_4i zwKWt#g>|FU#{@Z1zHM@L>7zr$BU;5PykoG(urA^eh3$o;uNr1CykcC`l*zwZqxsIY zk62TV@XQULueomni)LzW7Oz=X{oV3CVLfw(G-60<^oWl6?BGwz?N<9avfzt}4F~@F zx^L-xys;=PG^WgCmXr9VE$>>??#*uz`fo1571P|4X462n$5eL9ifzBiW(#zBrp>HETzw1e5i;&EnfYXzKS zaa+%n`wmP1nI-~RlU@1H6Q3z?b&-hKU~Gxx4u;?+-KoG4CUXQ3z&qw_n3m|jMmAt5 zp6-HJWx)_Vg=O{T!h;=Po>CxS8XKxfy?(3kqA_Qi7Rfe*xjou*U2I3+-%`v$LI9>n zrc(h0;?f>!+1}m1CGZ5B@uzynPMmy`v+SAR=Kcw?_qfaY_f>-3!*%UtYZR-mb>HzF zb(|cGSTIWLv~N2S8poNM-s`5(b~n2(B=F!IHlBWxbh-Blt_ywT!fU#gV7ZVr^tApc zY3GAoGU)i77K*r1gI?C}Tf5N|;6(FS4l82??{F}7d{W@IM860;!lytz3JARWGd`!C z(QNf&ug(<_I%HWUq$hp2bE9!MUqOPEM0# z9Aid3Y=GFXLW$Kz6kL#@z*fIHwz3jVCkcSa-FWjMx_m>7rzA0s-7u#H$LrX6AtXj; z%>wH%y29l2BK)V2om5Pb*Uq8j@d+V2tH*aDj_Q@ZVeV29&8@6|5+w&KV&>=acUQjVuM)ouSd$GCygmqsie?r?>=gIR@0hQqW;#E96CezE4;4}iU>ONQPwg^z? z=VJ}x*eI(lp8e2kxGqZV zxO|SZc^&S^FkfiPThWWY>~9w~n2EWbK>;(n7%VqvCky&Ia!5ijBchfJLlG1}Pbj^l zV!E#5@G?R2@QdhoAtWP_Ilgsi%oApippIUSo)D|*nd2(XIU_TZ?knF93#{}M6ts>C z$yQsJhiBjTayR){cN8}R7w~1&g&Rr#P;+zwsB-_Ry0~2A^znKZ21}hDp2>k1-DNI& zrhPHX;ca;IP4>dp9d^C94rfG6X%E;HVtU`bt-OFr$?o3swzUIuwDr~CGc&Kv8V7<9 zMScE?*zF*9Be*5ZwDLqcBHqsDhn~%B897cSJIKu812=ec@%;D=Z0V9hyBp^tFRH&b z;mu&GZRRxZAJxp->(S%|mg@hUX--B1k1 zUvfF#hHCX-4ZAt!o*wRiv2EoujHb-?VJ$Zk-UwYv8IlI+cBJmtlj&_FI5U;3SjY2K zv_<|KZ-53EC>0+n1Bu7?I0*i_>+t8pnz589_TG8Paq>Q+{#qrfW97K<%}Kq>+oxSx zm;LmvT}7joZpB!sBJx4wo&+9&U!By33>BuC#l9n)@F`xOq2rQ47HJ+(;`Q=6B4Rly)<8g}`3 zc`$?EqNX}`IK9H5hWS1}RfqI)L#=jvTdoAOyZ74-2foh5-jJGEo8d4~yy!`7N;xr+ z5aH@?+3eTBl5J(%Fj{yG5-E7CjJcNoaRTOoJ=bNcsbW+-ecTxRy=dd)u5#y+24D9? zB_s|smEgB*R$9D`ge4#nJ&_V1|FOwr-Y7OG1K?eB$AKPX-I(@$e6Cv!QRwx`HnDZ( zopo_Kfyz~qcRogp8x9?Sc>3i9?KL!tG(AODQE@Iu?cu6V`R2XB@pIfXd!i!t~o#G;(xS{3r9P7QpE(YcBo#wyFMKob6eU)xLKS|nny~#{uwNz;jNpzXn z=zB7pIwpa1i>hzN#=^j-I>a!IJX>^>~>W%{X&tumx( zW*9-Z^MN<5zce&{3=)Agia$NV%OMLZeWb0=_})6<&2;|0KfrT@9rTBzq>VYMN70yF z!TOh27$nr4x8~)lN%i7zl(s73RS*HVKR|^BkcdbfM0JcJps`=6nA;qZ^e-V*K<&}W_#}F zsdYfe-*$qoMaS@G*Wwrfe`!wz+b}yY*+yjD@SgtnT^cVfNFns8tzQVie`55P>*qxS z4fwSkmQDRSKmQxiglYlh%oC5{7Ww*nRroyu+OXrsDD+%a_p$#Eu}^WJl|3ZctB*ka zR|4rhTCS46)cKbY{)mvpJXWrwjUNBrCVpuYR|y|cqBV2&v8L2AcmHn!Ug~V$LPwyU z_@6qe$YyKii9>_7C14SPzg2LM1_TD)XAG12M!)!t&5*x{j;_P=mRw!|3eCKKXWp+) z`T;lmpfOKgzY2=~qa)e8m~mq{yx{7o{|Wazf(L?vhn{UI^M8z9b987l*c`pNjPr49 g{8th|2i^*^_u-F3zU6;>-xnY&DKAkWrXTSC0Nwm9!vFvP literal 0 HcmV?d00001 diff --git a/docs/services/registry/working-with.md b/docs/services/registry/working-with.md index a31f2741f..5901f7333 100644 --- a/docs/services/registry/working-with.md +++ b/docs/services/registry/working-with.md @@ -13,6 +13,20 @@ User tokens can be accessed from the User Profile from the dropdown under your U See the FAQ section ['Unauthorised' error when logging into the registry from Docker](./faq.md#unauthorised-error-when-logging-into-the-registry-from-docker) for help with token expiry and authorisation issues. +## Creating a Project Repository + +Each EIDF project can have a private space on the registry, this is called an Edinburgh Container Image Registry (ECIR) project. An ECIR project can be used to store images and artifacts that are private to the project. + +To create an ECIR project: + +1. Navigate to your EIDF project in the EIDF portal. +2. Find the **Container Registry Project** section. +3. Click the **Create Project** button. + +This will generate the ECIR project, which will be accessible from the registry interface within a few minutes. The project will be named with the same name as your EIDF project. +![CreateECIRProject](../../images/registry/CreateECIRProject.png){: class="border-img"} + *Example Create ECIR Project* + ## Push Commands In your project, there is a PUSH Command option which will give you the command templates for pushing to the Project repositories from different clients. @@ -26,6 +40,20 @@ Each repository in a project has a COPY PULL button option once an image/artifac Clicking on a tag in a repository will open up the information on the artifact, this can include an overview of the image, vulnerability summary, SBOM and build history. +## Creating Robot Accounts for the Registry + +If you are regularly using a repository from a project where you are sharing resources and need automated, read-only access (for example, pulling images into compute jobs), it is recommended to create a robot account with limited pull-only privileges. + +If you also need to publish images (for example, as part of an automated build or CI/CD pipeline), you should instead create a robot account with pull and push (read and write) permissions for the project. + +Robot accounts can be added by a project administrator as follows: + +1. In the ECIR project, click the **+ pull robot** or **+ push robot** button within the project. +2. Wait a few minutes for the robot account to be created. +3. Go to the **Robot Account** section of the project to access the credentials, which include a username and a CLI Secret for logging into the registry from Docker and other container services. + +Robot accounts with pull and push permissions have a default validity period of 30 days, after which they will expire and need to be renewed. This is to ensure that access is regularly reviewed and maintained. + ## Using from the Command Line with Docker Important: Run these commands on a system that has Docker installed and has access to the ECIR. @@ -61,20 +89,12 @@ https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded ``` - +To pull images from the registry, from private or authenticated projects, you will need to add a secret to the namespace you are using and reference it in your job definition. Note that user tokens have a limited validity period and therefore, robot accounts are recommended for long-term use. See the section on [Creating a Robot Account](#creating-robot-accounts-for-the-registry) for more details. From your command line, you can now push and pull images to the registry. ## Kubernetes/GPU Service Access -To pull images from the registry, from private or authenticated projects, you will need to add a secret to the namespace you are using and reference it in your job definition. Note that user tokens have a limited validity period. - -If you are regularly using a repository from a project where you are sharing resources, it is recommended to create a robot account with limited read only privileges, this can be requested via a Helpdesk Request for your project. - -!!! important "Portal Management" - - There will be new functionality soon added to the EIDF Portal to allow for project users to create read only robot accounts and for PI/Managers to create read/write robot accounts for use in CI/CD pipelines for image building. - -This is then treated like a normal user secret when you have the robot credentials. +To pull images from the registry, from private or authenticated projects, you will need to add a secret to the namespace you are using and reference it in your job definition. Note that user tokens have a limited validity period and hence robots are recommended for long term use. See the section on [Creating a Robot Account](#creating-robot-accounts-for-the-registry) for more details. Secrets can be created in one of two ways, as detailed below, either directly via kubectl from your Docker config.json file, or by creating a YAML file. From 9e2abda715f7c23411c41452df1aa2ddc737e557 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Tue, 31 Mar 2026 09:02:32 +0100 Subject: [PATCH 2/4] Add container image building pipeline guidance --- docs/services/gitlab/quickstart.md | 47 +++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/docs/services/gitlab/quickstart.md b/docs/services/gitlab/quickstart.md index c1ed7c0ab..55f8ac999 100644 --- a/docs/services/gitlab/quickstart.md +++ b/docs/services/gitlab/quickstart.md @@ -38,4 +38,49 @@ For a more complete set of documentation relating to adding and using SSH keys w ## CI/CD Examples -A repository containing some common Gitlab CI/CD configurations and relevant examples is maintained at at [Gitlab CI/Cd Examples](https://gitlab.eidf.ac.uk/Liz/cicd-examples) +A repository containing some common Gitlab CI/CD configurations and relevant examples is maintained at [Gitlab CI/Cd Examples](https://gitlab.eidf.ac.uk/Liz/cicd-examples) + +## Building a Container Image with Gitlab CI/CD + +Automation of building of container images is possible using Gitlab CI/CD in the default Gitlab Instance runner + +Images can be built from a docker file using [BuildKit](https://docs.docker.com/build/buildkit/). This requires users do the following: + +### Harbor Integration and the ECIR (Recommended) + +It is recommended that users setup Harbor Integration to use the EIDF Container Image Registry (ECIR) as the output location for built images. The ECIR is recommended as it is part of EIDF infrastructure and hence provides speed over external registries as well as a number of built in Security features such as SBOM and security scanning via Trivy. + +We assume users have setup an ECIR project and Push Robot which are detailed in ECIR Working with sections [Creating a Project Repository](../registry/working-with.md#creating-a-project-repository) and [Creating Robot Accounts for the Registry](../registry/working-with.md#creating-robot-accounts-for-the-registry) respectively. + +Users should follow the [GitLab documentation on Harbor Integration](https://docs.gitlab.com/user/project/integrations/harbor/), making note of the following values to be input: + +- Harbor URL: `https://registry.eidf.ac.uk` +- Harbor Project Name: Typically the same as the EIDF project you are working in e.g. `eidf123` +- Username: The username of the Push Robot for your ECIR project, typically has a name like `eidf123-push-robot` +- Password: The secret key of the push robot + +## Setting up the CI/CD Pipeline + +Include a stage in the .gitlab-ci.yml using the following template, taking special note of replacing parts in `< >` and if not using Harbor integration ensuring the Environment Variables are set correctly: + +```.gitlab-ci.yml +build-rootless: + image: + name: moby/buildkit:rootless + stage: build + variables: + BUILDKITD_FLAGS: --oci-worker-no-process-sandbox + REG_IMAGE: "$HARBOR_HOST/$HARBOR_PROJECT/:$CI_COMMIT_SHA" + before_script: + - mkdir -p ~/.docker + - echo "{\"auths\":{\"$HARBOR_HOST\":{\"username\":\"$HARBOR_USERNAME\" ,\"password\":\"$HARBOR_PASSWORD\"}}}" > ~/.docker/config.json + script: + - | + buildctl-daemonless.sh build \ + --frontend dockerfile.v0 \ + --local context=. \ + --local dockerfile=<. or dockerfile path to use> \ + --output type=image,name=$REG_IMAGE,push=true +``` + +This will build an image using the specified dockerfile and push it to the specified registry. The template is lightly adapted from the GitLab documentation on [building and pushing Docker images with BuildKit](https://docs.gitlab.com/ee/ci/docker/using_docker_buildx.html#build-and-push-docker-images-with-buildkit) where more examples and details can be found. From 3b8ffd958fa80fe976bed2ab8688d8bebcf64179 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Tue, 31 Mar 2026 09:06:00 +0100 Subject: [PATCH 3/4] Fix capitalisation of GitLab --- docs/services/gitlab/quickstart.md | 10 +++++----- mkdocs.yml | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/services/gitlab/quickstart.md b/docs/services/gitlab/quickstart.md index 55f8ac999..677c562b3 100644 --- a/docs/services/gitlab/quickstart.md +++ b/docs/services/gitlab/quickstart.md @@ -2,7 +2,7 @@ ## Accessing -Access the EIDF gitlab in your browser by opening [https://gitlab.eidf.ac.uk/](https://gitlab.eidf.ac.uk/). You must be a member of an active EIDF project and have a user account to use the EIDF gitlab Service. +Access the EIDF GitLab in your browser by opening [https://gitlab.eidf.ac.uk/](https://gitlab.eidf.ac.uk/). You must be a member of an active EIDF project and have a user account to use the EIDF GitLab Service. ![GitLab Login Page](../../images/access/gitlab-login.png) @@ -34,15 +34,15 @@ From the command line, you can clone this repository by adding your username and To clone a repository using git over SSH, click on the "Code" button to get the git+ssh URL. You will need to have added an SSH key to your account for this method to work. -For a more complete set of documentation relating to adding and using SSH keys with Gitlab, see the upstream [Gitlab Documentation](https://docs.gitlab.com/user/ssh/) +For a more complete set of documentation relating to adding and using SSH keys with GitLab, see the upstream [GitLab Documentation](https://docs.gitlab.com/user/ssh/) ## CI/CD Examples -A repository containing some common Gitlab CI/CD configurations and relevant examples is maintained at [Gitlab CI/Cd Examples](https://gitlab.eidf.ac.uk/Liz/cicd-examples) +A repository containing some common GitLab CI/CD configurations and relevant examples is maintained at [GitLab CI/CD Examples](https://gitlab.eidf.ac.uk/Liz/cicd-examples) -## Building a Container Image with Gitlab CI/CD +## Building a Container Image with GitLab CI/CD -Automation of building of container images is possible using Gitlab CI/CD in the default Gitlab Instance runner +Automation of building of container images is possible using GitLab CI/CD in the default GitLab Instance runner Images can be built from a docker file using [BuildKit](https://docs.docker.com/build/buildkit/). This requires users do the following: diff --git a/mkdocs.yml b/mkdocs.yml index 3377bb132..9b44aeffd 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -96,8 +96,8 @@ nav: # - "Quickstart": services/mft/quickstart.md # - "Using the MFT": services/mft/using-the-mft.md - "Code Collaboration": - - "Gitlab Overview": services/gitlab/index.md - - "Gitlab Quickstart": services/gitlab/quickstart.md + - "GitLab Overview": services/gitlab/index.md + - "GitLab Quickstart": services/gitlab/quickstart.md - "Container Image Registry Overview": services/registry/index.md - "Container Image Registry Projects and Caches": services/registry/projects.md - "Container Image Registry Use": services/registry/working-with.md From abf5d5d3da90677576b5dd60d3f3c1f4f5a2d183 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Fri, 1 May 2026 17:09:31 +0100 Subject: [PATCH 4/4] docs(gitlab-ci): add details around using harbor images in gitlab-ci Also refactors into CI/CD into own page --- docs/services/gitlab/cicd.md | 66 ++++++++++++++++++++++++++++++ docs/services/gitlab/quickstart.md | 49 +--------------------- 2 files changed, 68 insertions(+), 47 deletions(-) create mode 100644 docs/services/gitlab/cicd.md diff --git a/docs/services/gitlab/cicd.md b/docs/services/gitlab/cicd.md new file mode 100644 index 000000000..e0f799e17 --- /dev/null +++ b/docs/services/gitlab/cicd.md @@ -0,0 +1,66 @@ +# Continuous Integration and Continuous Deployment (CI/CD) with EIDF GitLab + +A repository containing some common GitLab CI/CD configurations and relevant examples is maintained at [GitLab CI/CD Examples](https://gitlab.eidf.ac.uk/Liz/cicd-examples) + +## Harbor Integration and the ECIR + +We recommend that users setup Harbor Integration to automate the use of the EIDF Container Image Registry (ECIR) as the pull and push location for container images. The ECIR is recommended as it is part of EIDF infrastructure and hence provides speed over external registries as well as a number of built in Security features such as SBOM and security scanning via Trivy. More documentation around the ECIR can be found in the [ECIR documentation](../registry/overview.md) and the [ECIR working with documentation](../registry/working-with.md). + +We assume users have setup an ECIR project and Push Robot which are detailed in ECIR Working with sections [Creating a Project Repository](../registry/working-with.md#creating-a-project-repository) and [Creating Robot Accounts for the Registry](../registry/working-with.md#creating-robot-accounts-for-the-registry) respectively. + +Users should follow the [GitLab documentation on Harbor Integration](https://docs.gitlab.com/user/project/integrations/harbor/), making note of the following values to be input: + +- Harbor URL: `https://registry.eidf.ac.uk` +- Harbor Project Name: Typically the same as the EIDF project you are working in e.g. `eidf123` +- Username: The username of the Push Robot for your ECIR project, typically has a name like `eidf123-push-robot` +- Password: The secret key of the push robot + +## Using an ECIR image in GitLab CI/CD + +The ECIR is a private registry and so the use of images stored in the ECIR requires authentication. A number of methods for this are documented in the [GitLab documentation](https://docs.gitlab.com/ci/docker/using_docker_images/#access-an-image-from-a-private-container-registry). We recommend setting up a variable defining the DOCKER_AUTH_CONFIG as described in the GitLab documentation above. When making use of the Harbor Integration this variable should be set as follows: + +```.gitlab-ci.yml +variables: + DOCKER_AUTH_CONFIG: "{\"auths\":{\"$HARBOR_HOST\":{\"username\":\"$HARBOR_USERNAME\",\"password\":\"$HARBOR_PASSWORD\"}}}" +``` + +This will then authorise you to make use of the ECIR in your CI/CD pipelines, for example by pulling an image from the ECIR as the image for a job: + +```.gitlab-ci.yml + +variables: + DOCKER_AUTH_CONFIG: "{\"auths\":{\"$HARBOR_HOST\":{\"username\":\"$HARBOR_USERNAME\",\"password\":\"$HARBOR_PASSWORD\"}}}" + +my-job: + image: $HARBOR_HOST/$HARBOR_PROJECT/hello-world:latest + script: + - echo "This job uses an image from the ECIR" +``` + +## Building a Container Image with GitLab CI/CD + +Automation of building of container images is possible using GitLab CI/CD in the default GitLab Instance runner. + +Images can be built from a Dockerfile using [BuildKit](https://docs.docker.com/build/buildkit/). This requires users to include a stage in the .gitlab-ci.yml using the following template, taking special note of replacing parts in `< >` and if not using Harbor integration ensuring the Environment Variables are set correctly: + +```.gitlab-ci.yml +build-rootless: + image: + name: moby/buildkit:rootless + stage: build + variables: + BUILDKITD_FLAGS: --oci-worker-no-process-sandbox + REG_IMAGE: "$HARBOR_HOST/$HARBOR_PROJECT/:$CI_COMMIT_SHA" + before_script: + - mkdir -p ~/.docker + - echo "{\"auths\":{\"$HARBOR_HOST\":{\"username\":\"$HARBOR_USERNAME\",\"password\":\"$HARBOR_PASSWORD\"}}}" > ~/.docker/config.json + script: + - | + buildctl-daemonless.sh build \ + --frontend dockerfile.v0 \ + --local context=. \ + --local dockerfile=<. or Dockerfile path to use> \ + --output type=image,name=$REG_IMAGE,push=true +``` + +This will build an image using the specified Dockerfile and push it to the specified registry. The template is lightly adapted from the GitLab documentation on [building and pushing Docker images with BuildKit](https://docs.gitlab.com/ee/ci/docker/using_docker_buildx.html#build-and-push-docker-images-with-buildkit) where more examples and details can be found. diff --git a/docs/services/gitlab/quickstart.md b/docs/services/gitlab/quickstart.md index 677c562b3..58d319e20 100644 --- a/docs/services/gitlab/quickstart.md +++ b/docs/services/gitlab/quickstart.md @@ -36,51 +36,6 @@ To clone a repository using git over SSH, click on the "Code" button to get the For a more complete set of documentation relating to adding and using SSH keys with GitLab, see the upstream [GitLab Documentation](https://docs.gitlab.com/user/ssh/) -## CI/CD Examples +## Where to go next? -A repository containing some common GitLab CI/CD configurations and relevant examples is maintained at [GitLab CI/CD Examples](https://gitlab.eidf.ac.uk/Liz/cicd-examples) - -## Building a Container Image with GitLab CI/CD - -Automation of building of container images is possible using GitLab CI/CD in the default GitLab Instance runner - -Images can be built from a docker file using [BuildKit](https://docs.docker.com/build/buildkit/). This requires users do the following: - -### Harbor Integration and the ECIR (Recommended) - -It is recommended that users setup Harbor Integration to use the EIDF Container Image Registry (ECIR) as the output location for built images. The ECIR is recommended as it is part of EIDF infrastructure and hence provides speed over external registries as well as a number of built in Security features such as SBOM and security scanning via Trivy. - -We assume users have setup an ECIR project and Push Robot which are detailed in ECIR Working with sections [Creating a Project Repository](../registry/working-with.md#creating-a-project-repository) and [Creating Robot Accounts for the Registry](../registry/working-with.md#creating-robot-accounts-for-the-registry) respectively. - -Users should follow the [GitLab documentation on Harbor Integration](https://docs.gitlab.com/user/project/integrations/harbor/), making note of the following values to be input: - -- Harbor URL: `https://registry.eidf.ac.uk` -- Harbor Project Name: Typically the same as the EIDF project you are working in e.g. `eidf123` -- Username: The username of the Push Robot for your ECIR project, typically has a name like `eidf123-push-robot` -- Password: The secret key of the push robot - -## Setting up the CI/CD Pipeline - -Include a stage in the .gitlab-ci.yml using the following template, taking special note of replacing parts in `< >` and if not using Harbor integration ensuring the Environment Variables are set correctly: - -```.gitlab-ci.yml -build-rootless: - image: - name: moby/buildkit:rootless - stage: build - variables: - BUILDKITD_FLAGS: --oci-worker-no-process-sandbox - REG_IMAGE: "$HARBOR_HOST/$HARBOR_PROJECT/:$CI_COMMIT_SHA" - before_script: - - mkdir -p ~/.docker - - echo "{\"auths\":{\"$HARBOR_HOST\":{\"username\":\"$HARBOR_USERNAME\" ,\"password\":\"$HARBOR_PASSWORD\"}}}" > ~/.docker/config.json - script: - - | - buildctl-daemonless.sh build \ - --frontend dockerfile.v0 \ - --local context=. \ - --local dockerfile=<. or dockerfile path to use> \ - --output type=image,name=$REG_IMAGE,push=true -``` - -This will build an image using the specified dockerfile and push it to the specified registry. The template is lightly adapted from the GitLab documentation on [building and pushing Docker images with BuildKit](https://docs.gitlab.com/ee/ci/docker/using_docker_buildx.html#build-and-push-docker-images-with-buildkit) where more examples and details can be found. +CI/CD pipelines for automation of workflows are documented in the [GitLab CI/CD documentation](cicd.md).