Use bearer token to access registry

app/models/project.rb

@@ -371,7 +371,8 @@ class Project < ActiveRecord::Base
   end
 
   def image_repository
-    @registry ||= ImageRegistry::Registry.new(Gitlab.config.registry.api_url)
+    @registry_token ||= Jwt::DockerAuthenticationService.full_access_token(path_with_namespace)
+    @registry ||= ImageRegistry::Registry.new(Gitlab.config.registry.api_url, token: @registry_token)
     @image_repository ||= ImageRegistry::Repository.new(@registry, path_with_namespace)
   end
 

app/services/jwt/docker_authentication_service.rb

@@ -8,6 +8,17 @@ module Jwt
       { token: token.encoded }
     end
 
+    def self.full_access_token(*names)
+      registry = Gitlab.config.registry
+      token = ::Jwt::RSAToken.new(registry.key)
+      token.issuer = registry.issuer
+      token.audience = 'docker'
+      token[:access] = names.map do |name|
+        { type: 'repository', name: name, actions: %w(pull push) }
+      end
+      token.encoded
+    end
+
     private
 
     def token