Merge branch '280582-dependency-proxy-env-vars' into 'master'

Predefined CI variables for the dependency proxy

See merge request gitlab-org/gitlab!49133

app/models/ci/build.rb

@@ -537,6 +537,7 @@ module Ci
       strong_memoize(:variables) do
         Gitlab::Ci::Variables::Collection.new
           .concat(persisted_variables)
+          .concat(dependency_proxy_variables)
           .concat(job_jwt_variables)
           .concat(scoped_variables)
           .concat(job_variables)
@@ -585,6 +586,15 @@ module Ci
       end
     end
 
+    def dependency_proxy_variables
+      Gitlab::Ci::Variables::Collection.new.tap do |variables|
+        break variables unless Gitlab.config.dependency_proxy.enabled
+
+        variables.append(key: 'CI_DEPENDENCY_PROXY_USER', value: ::Gitlab::Auth::CI_JOB_USER)
+        variables.append(key: 'CI_DEPENDENCY_PROXY_PASSWORD', value: token.to_s, public: false, masked: true)
+      end
+    end
+
     def features
       { trace_sections: true }
     end

app/models/dependency_proxy.rb

 # frozen_string_literal: true
 module DependencyProxy
+  URL_SUFFIX = '/dependency_proxy/containers'
+
   def self.table_name_prefix
     'dependency_proxy_'
   end

app/models/project.rb

@@ -1960,6 +1960,7 @@ class Project < ApplicationRecord
       .concat(predefined_project_variables)
       .concat(pages_variables)
       .concat(container_registry_variables)
+      .concat(dependency_proxy_variables)
       .concat(auto_devops_variables)
       .concat(api_variables)
   end
@@ -2011,6 +2012,18 @@ class Project < ApplicationRecord
     end
   end
 
+  def dependency_proxy_variables
+    Gitlab::Ci::Variables::Collection.new.tap do |variables|
+      break variables unless Gitlab.config.dependency_proxy.enabled
+
+      variables.append(key: 'CI_DEPENDENCY_PROXY_SERVER', value: "#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}")
+      variables.append(
+        key: 'CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX',
+        value: "#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/#{namespace.root_ancestor.path}#{DependencyProxy::URL_SUFFIX}"
+      )
+    end
+  end
+
   def container_registry_variables
     Gitlab::Ci::Variables::Collection.new.tap do |variables|
       break variables unless Gitlab.config.registry.enabled

app/views/groups/dependency_proxies/_url.html.haml

-- proxy_url = "#{group_url(@group)}/dependency_proxy/containers"
+- proxy_url = "#{group_url(@group)}#{DependencyProxy::URL_SUFFIX}"
 
 %h5.prepend-top-20= _('Dependency proxy URL')
 

changelogs/unreleased/280582-dependency-proxy-env-vars.yml

+---
+title: Add dependency proxy predefined environment variables
+merge_request: 49133
+author:
+type: added

doc/ci/variables/predefined_variables.md

@@ -49,6 +49,10 @@ Kubernetes-specific environment variables are detailed in the
 | `CI_CONFIG_PATH`                              | 9.4    | 0.5    | The path to CI configuration file. Defaults to `.gitlab-ci.yml`                                                                                                                                                                                                                                                                                                   |
 | `CI_DEBUG_TRACE`                              | all    | 1.7    | Whether [debug logging (tracing)](README.md#debug-logging) is enabled                                                                                                                                                                                                                                                                                      |
 | `CI_DEFAULT_BRANCH`                           | 12.4   | all    | The name of the default branch for the project.                                                                                                                                                                                                                                                                                                            |
+| `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`               | 13.7    | all    | The image prefix for pulling images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_SERVER`                           | 13.7    | all    | The server for logging in to the Dependency Proxy. This is equivelant to `$CI_SERVER_HOST:$CI_SERVER_PORT`. |
+| `CI_DEPENDENCY_PROXY_PASSWORD`                         | 13.7    | all    | The password to use to pull images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_USER`                             | 13.7    | all    | The username to use to pull images through the Dependency Proxy. |
 | `CI_DEPLOY_FREEZE`                            | 13.2   | all    | Included with the value `true` if the pipeline runs during a [deploy freeze window](../../user/project/releases/index.md#prevent-unintentional-releases-by-setting-a-deploy-freeze).                                                                                                                                                                                                                                    |
 | `CI_DEPLOY_PASSWORD`                          | 10.8   | all    | Authentication password of the [GitLab Deploy Token](../../user/project/deploy_tokens/index.md#gitlab-deploy-token), only present if the Project has one related.                                                                                                                                                                                                                                    |
 | `CI_DEPLOY_USER`                              | 10.8   | all    | Authentication username of the [GitLab Deploy Token](../../user/project/deploy_tokens/index.md#gitlab-deploy-token), only present if the Project has one related.                                                                                                                                                                                                                                    |

doc/user/packages/dependency_proxy/index.md

@@ -79,15 +79,14 @@ You can authenticate using:
 
 #### Authenticate within CI/CD
 
-To work with the Dependency Proxy in [GitLab CI/CD](../../../ci/README.md), you can use
-`CI_REGISTRY_USER` and `CI_REGISTRY_PASSWORD`.
+To work with the Dependency Proxy in [GitLab CI/CD](../../../ci/README.md), you can use:
 
-```shell
-docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" gitlab.example.com
-```
+- `CI_DEPENDENCY_PROXY_USER`: A CI user for logging in to the Dependency Proxy.
+- `CI_DEPENDENCY_PROXY_PASSWORD`: A CI password for logging in to the Dependency Proxy.
+- `CI_DEPENDENCY_PROXY_SERVER`: The server for logging in to the Dependency Proxy.
+- `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`: The image prefix for pulling images through the Dependency Proxy.
 
-You can use other [predefined variables](../../../ci/variables/predefined_variables.md)
-to further generalize your CI script. For example:
+This script shows how to use these variables to log in and pull an image from the Dependency Proxy:
 
 ```yaml
 # .gitlab-ci.yml
@@ -99,9 +98,9 @@ dependency-proxy-pull-master:
   services:
     - docker:dind
   before_script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_SERVER_HOST":"$CI_SERVER_PORT"
+    - docker login -u "$CI_DEPENDENCY_PROXY_USER" -p "$CI_DEPENDENCY_PROXY_PASSWORD" "$CI_DEPENDENCY_PROXY_SERVER"
   script:
-    - docker pull "$CI_SERVER_HOST":"$CI_SERVER_PORT"/groupname/dependency_proxy/containers/alpine:latest
+    - docker pull "$CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX"/alpine:latest
 ```
 
 You can also use [custom environment variables](../../../ci/variables/README.md#custom-environment-variables) to store and access your personal access token or other valid credentials.

spec/models/ci/build_spec.rb

@@ -2406,6 +2406,7 @@ RSpec.describe Ci::Build do
 
     before do
       stub_container_registry_config(enabled: container_registry_enabled, host_port: 'registry.example.com')
+      stub_config(dependency_proxy: { enabled: true })
     end
 
     subject { build.variables }
@@ -2423,6 +2424,8 @@ RSpec.describe Ci::Build do
           { key: 'CI_REGISTRY_USER', value: 'gitlab-ci-token', public: true, masked: false },
           { key: 'CI_REGISTRY_PASSWORD', value: 'my-token', public: false, masked: true },
           { key: 'CI_REPOSITORY_URL', value: build.repo_url, public: false, masked: false },
+          { key: 'CI_DEPENDENCY_PROXY_USER', value: 'gitlab-ci-token', public: true, masked: false },
+          { key: 'CI_DEPENDENCY_PROXY_PASSWORD', value: 'my-token', public: false, masked: true },
           { key: 'CI_JOB_JWT', value: 'ci.job.jwt', public: false, masked: true },
           { key: 'CI_JOB_NAME', value: 'test', public: true, masked: false },
           { key: 'CI_JOB_STAGE', value: 'test', public: true, masked: false },
@@ -2455,6 +2458,11 @@ RSpec.describe Ci::Build do
           { key: 'CI_DEFAULT_BRANCH', value: project.default_branch, public: true, masked: false },
           { key: 'CI_PAGES_DOMAIN', value: Gitlab.config.pages.host, public: true, masked: false },
           { key: 'CI_PAGES_URL', value: project.pages_url, public: true, masked: false },
+          { key: 'CI_DEPENDENCY_PROXY_SERVER', value: "#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}", public: true, masked: false },
+          { key: 'CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX',
+            value: "#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/#{project.namespace.root_ancestor.path}#{DependencyProxy::URL_SUFFIX}",
+            public: true,
+            masked: false },
           { key: 'CI_API_V4_URL', value: 'http://localhost/api/v4', public: true, masked: false },
           { key: 'CI_PIPELINE_IID', value: pipeline.iid.to_s, public: true, masked: false },
           { key: 'CI_PIPELINE_SOURCE', value: pipeline.source, public: true, masked: false },
@@ -2516,6 +2524,7 @@ RSpec.describe Ci::Build do
           let(:project_pre_var) { { key: 'project', value: 'value', public: true, masked: false } }
           let(:pipeline_pre_var) { { key: 'pipeline', value: 'value', public: true, masked: false } }
           let(:build_yaml_var) { { key: 'yaml', value: 'value', public: true, masked: false } }
+          let(:dependency_proxy_var) { { key: 'dependency_proxy', value: 'value', public: true, masked: false } }
           let(:job_jwt_var) { { key: 'CI_JOB_JWT', value: 'ci.job.jwt', public: false, masked: true } }
           let(:job_dependency_var) { { key: 'job_dependency', value: 'value', public: true, masked: false } }
 
@@ -2525,6 +2534,7 @@ RSpec.describe Ci::Build do
             allow(build).to receive(:persisted_variables) { [] }
             allow(build).to receive(:job_jwt_variables) { [job_jwt_var] }
             allow(build).to receive(:dependency_variables) { [job_dependency_var] }
+            allow(build).to receive(:dependency_proxy_variables) { [dependency_proxy_var] }
 
             allow(build.project)
               .to receive(:predefined_variables) { [project_pre_var] }
@@ -2537,7 +2547,8 @@ RSpec.describe Ci::Build do
 
           it 'returns variables in order depending on resource hierarchy' do
             is_expected.to eq(
-              [job_jwt_var,
+              [dependency_proxy_var,
+               job_jwt_var,
                build_pre_var,
                project_pre_var,
                pipeline_pre_var,