So we can stop depending on dockerhub.
Needs both TLS and Basic Auth support.
So we can stop depending on dockerhub.
Needs both TLS and Basic Auth support.
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | yuvipanda | T129309 Goal: Allow using k8s instead of GridEngine as a backend for webservices | |||
Resolved | yuvipanda | T118758 Setup private docker registry with authentication support in tools |
Change 273840 had a related patch set uploaded (by Yuvipanda):
tools: Add authentication for docker registry
This now works properly, and I can push and pull!
However, docker has decided to do incredibly braindead things and ties image names to include a *hostname*, so I can't just have them be tools-docker-registry-01.
I'll probably need to setup a CNAME for tools-docker-registry.tools.eqiad.wmflabs...
Change 274148 had a related patch set uploaded (by Yuvipanda):
labs: Add CNAMES for tools specific things
Change 274160 had a related patch set uploaded (by Yuvipanda):
labs: Set tools zonefile to be loaded
the CNAME is setup, and https://wikitech.wikimedia.org/w/index.php?title=Hiera%3ATools%2Fhost%2Ftools-docker-registry-01&type=revision&diff=336976&oldid=284007 is starting towards the SAN for the SSL cert...
Change 274179 had a related patch set uploaded (by Yuvipanda):
labs: Revert all work around CNAMEs for toollabs
Change 274180 had a related patch set uploaded (by Yuvipanda):
labs: Revert all work around CNAMEs for toollabs
Indeed it's the same, I've merged it in.
The reason it's not just a container is mostly because we don't have swift on the horizon yet and I'm *far* more averse to putting anything on NFS now :)
And I want it to be a CNAME under tools since this is tools specific, and not super general - only root can pull / push from it.
That ticket also has a far more complex setup for a ful PaaS system that we aren't doing yet (and when we do do it, we shouldn't be building our own but using a system like OpenShift / Deis), so have merged that into this.
Change 274179 abandoned by Yuvipanda:
labs: Revert all work around CNAMEs for toollabs
Change 278705 had a related patch set uploaded (by Yuvipanda):
labs: Add support for custom cnames in labs recursor
Change 278705 merged by Yuvipanda:
labs: Add support for custom cnames in labs recursor
Change 278964 had a related patch set uploaded (by Yuvipanda):
Revert "labs: Add support for custom cnames in labs recursor"
Change 278964 merged by Yuvipanda:
Revert "labs: Add support for custom cnames in labs recursor"
I've reverted all the CNAME work - @Joe pointed out that we'll want to have the registry available (in a readonly mode) to the whole world at some point anyway, so it's ok to use tools-docker-registry.wmflabs.org (and eventually, docker-registry.tools.wmflabs.org). So it is serving on port 443 on tools-docker-registry.wmflabs.org now.
I count this as done! \o/