The GitLab Deploy Token generator creates GitLab deploy tokens for a project or a group. A deploy token gives read or write access to a project's repository, container registry, and package registry, which makes it well suited for pulling images or packages from automation.
The generated secret contains two keys:
username: the deploy token username (the value of spec.username, or the gitlab+deploy-token-{n} value GitLab assigns when username is omitted).token: the deploy token value.The generator authenticates against the GitLab API with an access token (personal, group, or project) that has the api scope and at least the Maintainer role on the target project (or Owner on the target group). Store that token in a Kubernetes secret and reference it from spec.auth.token.secretRef.
kubectl create secret generic gitlab-api-token --from-literal=token=glpat-xxxxxxxxxxxx
Set exactly one of spec.projectID or spec.groupID. Both accept either a numeric ID or an unescaped path such as group/project, the generator URL-escapes paths before calling the API, so do not pre-encode them. Setting both, neither, or an empty string is rejected by the CRD.
spec.scopes requires at least one of: read_repository, read_registry, write_registry, read_package_registry, write_package_registry. Projects additionally support read_virtual_registry and write_virtual_registry.
GitLab deploy tokens are persistent: unlike short-lived tokens they are not garbage-collected by GitLab on their own. This generator therefore records the created token ID in its generator state and revokes the previous token whenever the value is regenerated (on refresh) and when the consuming ExternalSecret is deleted. Set spec.expiresAt if you also want GitLab to expire the token server-side as a backstop.
{% include 'generator-gitlab.yaml' %}
Example ExternalSecret that references the generator:
{% include 'generator-gitlab-example.yaml' %}
refreshInterval.