Merge branch 'sabrams-master-patch-42203' into 'master'

Update dependency proxy docs with JWT expiration notes

See merge request gitlab-org/gitlab!85004

doc/administration/packages/dependency_proxy.md

@@ -265,6 +265,20 @@ Feature.disable(:dependency_proxy_for_private_groups)
 Feature.enable(:dependency_proxy_for_private_groups)
 ```
 
+## Changing the JWT expiration
+
+The Dependency Proxy follows the [Docker v2 token authentication flow](https://docs.docker.com/registry/spec/auth/token/),
+issuing the client a JWT to use for the pull requests. The token expiration time is a configurable
+using the application setting `container_registry_token_expire_delay`. It can be changed from the
+rails console:
+
+```ruby
+# update the JWT expiration to 30 minutes
+ApplicationSetting.update(container_registry_token_expire_delay: 30)
+```
+
+The default expiration and the expiration on GitLab.com is 15 minutes.
+
 ## Using the dependency proxy behind a proxy
  
 1. Edit `/etc/gitlab/gitlab.rb` and add the following lines:

doc/user/packages/dependency_proxy/index.md

@@ -96,6 +96,14 @@ You can authenticate using:
 Users accessing the Dependency Proxy with a personal access token or username and password must
 have at least the Guest role for the group they pull images from.
 
+The Dependency Proxy follows the [Docker v2 token authentication flow](https://docs.docker.com/registry/spec/auth/token/),
+issuing the client a JWT to use for the pull requests. The JWT issued as a result of authenticating
+expires after some time. When the token expires, most Docker clients store your credentials and
+automatically request a new token without further action.
+
+The token expiration time is a [configurable setting](../../../administration/packages/dependency_proxy.md#changing-the-jwt-expiration).
+On GitLab.com, the expiration time is 15 minutes.
+
 #### SAML SSO
 
 When [SSO enforcement](../../group/saml_sso/index.md#sso-enforcement)