For guidance on the overall deprecations, removals and breaking changes workflow, please visit [Breaking changes, deprecations, and removing features](https://about.gitlab.com/handbook/product/gitlab-the-product/#deprecations-removals-and-breaking-changes) > For a high-level overview of the changes and how to proceed, please visit https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html <!-- Use this template as a starting point for deprecations. --> ### Deprecation Summary The support for registration tokens in the [command](https://docs.gitlab.com/runner/register/#registering-runners) to register a runner, `gitlab-runner register` is **deprecated.** It has begun accepting [Runner authentication token](https://docs.gitlab.com/ee/security/token_overview.html#runner-authentication-tokens-also-called-runner-tokens) in %16.0 in place of registration tokens. The plan is to enable the `enforce_create_runner_workflow` feature flag by default in GitLab %17.0 so that registration tokens cannot be used to create runners. The `enforce_create_runner_workflow` feature flag is planned for removal in %18.0, together with support for registration tokens. ---------------- **NOTE**: The following notice displayed by GitLab Runner 15.6 when registering a runner is out of date: > WARNING: Support for registration tokens and runner parameters in the 'register' command has been deprecated in GitLab Runner 15.6 and will be replaced with support for authentication tokens. For more information, see https://gitlab.com/gitlab-org/gitlab/-/issues/380872 The `register` command will be preserved with some changes, which should limit the impact to users. <!-- This should contain a brief description of the feature or functionality that is deprecated. The description should clearly state the potential impact of the deprecation to end users. It is recommended that you link to the documentation. The description of the deprecation should state what actions the user should take to rectify the behavior. If the deprecation is scheduled for an upcoming release, the content should remain in the deprecations documentation page until it has been completed. For example, if a deprecation is announced in 14.9 and scheduled to be completed in 15.0, the same content would be included in the documentation for 14.9, 14.10, and 15.0. **If this issue proposes a breaking change outside a major release XX.0, you need to get approval from your manager and request collaboration from Product Operations on communication. Be sure to follow the guidance [here](https://about.gitlab.com/handbook/product/gitlab-the-product/#deprecations-removals-and-breaking-changes.)** --> #### High-level overview of changes As a result of the [Next GitLab Runner Token Architecture](https://docs.gitlab.com/ee/architecture/blueprints/runner_tokens/) effort, we are in the process of deprecation runner registration tokens and favoring an alternative process. The new process consists of (1) creating a runner directly in the GitLab UI, (2) getting an authentication token in return, and (3) using that authentication token in place of the registration token. This has added benefits including preserving ownership records for runners, while minimizing the impact on users. Reusing the same authentication token across multiple runners (commonly in an auto-scaling scenario where a runner manager spawns a runner process with a fixed authentication token) is supported through the addition of a unique system ID. This ID is generated once at the runner's startup, persisted in a sidecar file, and sent to the GitLab instance when requesting jobs. This allows the GitLab instance to display which system executed a given job. The new registration process is expected to become available in %16.0, and the legacy registration process will be available side-by-side for a few milestones before the being sunset through a feature flag. Removal is planned for %18.0. ```mermaid graph TD subgraph new[<b>New registration flow</b>] A[<b>GitLab</b>: User creates a runner in GitLab UI and adds the runner configuration] -->|<b>GitLab</b>: creates ci_runners record and returns<br/>new 'glrt-' prefixed authentication token| B B(<b>Runner</b>: User runs 'gitlab-runner register' command with</br>authentication token to register new runner machine with<br/>the GitLab instance) --> C{<b>Runner</b>: Does a .runner_system_id file exist in<br/>the gitlab-runner configuration directory?} C -->|Yes| D[<b>Runner</b>: Reads existing system ID] --> F C -->|No| E[<b>Runner</b>: Generates and persists unique system ID] --> F F[<b>Runner</b>: Issues 'POST /runner/verify' request<br/>to verify authentication token validity] --> G{<b>GitLab</b>: Is the authentication token valid?} G -->|Yes| H[<b>GitLab</b>: Creates ci_runner_machine database record if missing] --> J[<b>Runner</b>: Store authentication token in .config.toml] G -->|No| I(<b>GitLab</b>: Returns '403 Forbidden' error) --> K(gitlab-runner register command fails) J --> Z(Runner and runner machine are ready for use) end subgraph current[<b>Current registration flow</b>] A'[<b>GitLab</b>: User retrieves runner registration token in GitLab UI] --> B' B'[<b>Runner</b>: User runs 'gitlab-runner register' command<br/>with registration token to register new runner] -->|<b>Runner</b>: Issues 'POST /runner request' to create<br/>new runner and obtain authentication token| C'{<b>GitLab</b>: Is the registration token valid?} C' -->|Yes| D'[<b>GitLab</b>: Create ci_runners database record] --> F' C' -->|No| E'(<b>GitLab</b>: Return '403 Forbidden' error) --> K'(gitlab-runner register command fails) F'[<b>Runner</b>: Store authentication token<br/>from response in .config.toml] --> Z'(Runner is ready for use) end style new fill:#f2ffe6 ``` ### Breaking Change - **Yes** <!-- Does this MR contain a breaking change? If yes: - Add the ~"breaking change" label to this issue. - Add instructions for how users can update their workflow. --> ### Affected Topology N/A - This change is specific to GitLab Runner. <!-- Who is affected by this deprecation, Self-managed users, SaaS users, or both? This is especially important when nearing the annual major release where breaking changes and removals are typically introduced. These changes might be seen on GitLab.com before the official release date. --> ### Affected Tier * Free * Premium * Ultimate <!-- Which tier is this feature available in? * Free * Premium * Ultimate --> ### Checklists **Labels** - [x] This issue is labeled ~deprecation, and with the relevant `~devops::`, `~group::`, and `~Category:` labels. - [x] This issue is labeled ~"breaking change" if the removal of the deprecated item will be a [breaking change](https://about.gitlab.com/handbook/product/gitlab-the-product/#examples-of-breaking-changes). **Timeline** Please add links to the relevant merge requests. - As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule: `14.8, 14.9, 14.10, 15.0` – `14.8` is the third milestone preceding the major release): - [x] A [deprecation announcement entry](https://about.gitlab.com/handbook/marketing/blog/release-posts/#creating-a-deprecation-announcement) has been created so the deprecation will appear in release posts and on the [general deprecation page](https://docs.gitlab.com/ee/update/deprecations). - [x] Documentation has been updated to mark the feature as [deprecated](https://docs.gitlab.com/ee/development/documentation/versions.html#deprecations-and-removals). - [ ] On or before the major milestone: A [removal entry](https://about.gitlab.com/handbook/marketing/blog/release-posts/#removals) has been created so the removal will appear on the [removals by milestones](https://docs.gitlab.com/ee/update/removals) page and be announced in the release post. - On the major milestone: - [ ] The deprecated item has been removed. - [ ] If the removal of the deprecated item is a [breaking change](https://about.gitlab.com/handbook/product/gitlab-the-product/#examples-of-breaking-changes), the merge request is labeled ~"breaking change". **Mentions** - [x] Your stage's stable counterparts have been `@mentioned` on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager. - To see who the stable counterparts are for a product team visit [product categories](https://about.gitlab.com/handbook/product/categories/) - If there is no stable counterpart listed for Sales/CS please mention `@timtams` - If there is no stable counterpart listed for Support please mention `@gitlab-com/support/managers` - If there is no stable counterpart listed for Marketing please mention `@cfoster3` - [x] Your GPM has been `@mentioned` so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change. ### Deprecation Milestone <!-- In which milestone will this deprecation be announced ? --> %"15.6" ### Planned Removal Milestone <!-- In which milestone will the feature or functionality be removed and announced? --> %"17.0" ### Links <!-- Add links to any relevant documentation or code that will provide additional details or clarity regarding the planned change. This issue is the main SSOT for the deprecations and removals process. Be sure to link all issues and MRs related to this deprecation/removal to this issue. This can include removal issues that were created ahead of time, and the MRs doing the actual deprecation/removal work. --> <!-- Label reminders - you should have one of each of the following labels. Use the following resources to find the appropriate labels: - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/ --> - [Issue](https://gitlab.com/gitlab-org/gitlab/-/issues/353826) - [Next GitLab Runner Token Architecture](https://docs.gitlab.com/ee/architecture/blueprints/runner_tokens/) <!-- Populate the Section, Group, and Category --> <!-- Choose the Pricing Tier(s) --> <!-- Identifies that this Issue is related to deprecating a feature --> <!-- Add the ~"breaking change" label to this issue if necessary -->