In short For a toolforge repository I think you can use docker-registry.tools.wmflabs.org/toolforge-jdk17-sssd-base:latest. It should come with maven 3.6.5 (or use Maven Wrapper if you need a different version of Maven).**

I am moving this task to Toolforge. Continuous-Integration-Config is for legacy CI and the docker-registry.wikimedia.org/releng/* images, see below.

For the details of all our images:

Wikimedia production

For Wikimedia production, I think most of our applications are using Java 11 and some are still on Java 8. I don't know whether any have migrated to containers yet. We have some images maintained at https://gerrit.wikimedia.org/g/operations/docker-images/production-images/+/refs/heads/master/images/java/

The Stretch based ones are obsolete, that version of Debian went end of life in 2020. The Java 11 based on Buster was last rebuild in November 2020 and lacks a few years of updates. Thus I don't think we rely on them and they probably should not be used.

Legacy CI images

Continuous-Integration-Config is for the legacy CI based on Jenkins/Zuul/Gerrit. They are maintained in https://gerrit.wikimedia.org/g/integration/config and published in the releng container registry namespace (docker-registry.wikimedia.org/releng/*). Their use case is heavily tied to the legacy CI and they are not rebuild often. There is no plan to add Java 17 there yet since internally we don't have a use case for it. But surely at some point we will create them.

MediaWiki dev images

Images intended for development of MediaWiki and hosted at https://gitlab.wikimedia.org/repos/releng/dev-images , but from a quick look none of them have openjdk (MediaWiki is written in PHP).

Toolforge images

They are maintained on https://gerrit.wikimedia.org/g/operations/docker-images/toollabs-images using an entirely different toolset than the above repositories and published on a different registry. I don't know anything about that environment though.

The registry is at https://docker-registry.toolforge.org/ and they publish a docker-registry.tools.wmflabs.org/toolforge-jdk17-sssd-base:latest (which is based on Debian Bullseye and has the openjdk-17-jdk and maven packages.

I already tried the toolforge image but it is not currently allowed on GitLab:
https://gitlab.wikimedia.org/toolforge-repos/spacemedia/-/jobs/90926

ERROR: The "docker-registry.tools.wmflabs.org/toolforge-jdk17-sssd-base" image is not present on list of allowed images:
- docker-registry.wikimedia.org/**/*
- docker-registry.discovery.wmnet/**/*
- centos/*:*
- debian:*
- fedora:*
- opensuse/*:*
- ubuntu:*
- golang:*
- python:*
- ruby:*
- rust:*
- rustlang/rust:*
- registry.gitlab.com/gitlab-org/**/*
- registry.gitlab.com/security-products/**/*
- registry.gitlab.com/dependabot-gitlab/dependabot:*
- docker.elastic.co/elasticsearch/*:*
- docker-registry.tools.wmflabs.org/cloud-cicd*

Only cloud-cicd* images are allowed but I don't see anything with openjdk starting by this prefix.

Let's turn this language specific request into a blanket request to allow images from https://docker-registry.tools.wmflabs.org/ (browse via https://docker-registry.toolforge.org/) for GitLab CI. Restricting these images further to https://docker-registry.tools.wmflabs.org/toolforge-* and/or only allowing them for repos under https://gitlab.wikimedia.org/toolforge-repos/ would be acceptable as well.

I would like to use the docker-registry.tools.wmflabs.org/toolforge-php82-sssd-base:latest image in CI for https://gitlab.wikimedia.org/toolforge-repos/bash/.

Change 976355 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):

[operations/puppet@production] allow all images from docker-registry.tools.wmflabs.org

https://gerrit.wikimedia.org/r/976355

Looks like we forgot about this feature request. :(

Since I created this ticket, the image docker-registry.wikimedia.org/releng/maven-java17 has been created so I use it in my CI. It would still be useful to allow more images.