The final step of the new container pipeline build phase is to push the resulting staging-ready image to our Docker registry. This operation will require secure access to the necessary credentials and we'll need to ensure that only the Jenkins jobs and CI admins can read them.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T170453 FY2017/18 Program 6: Streamlined Service delivery | |||
| Invalid | None | T170480 FY2017/18 Program 6 - Outcome 2: Developers are able to develop and test their applications through a unified pipeline towards production deployment. | |||
| Invalid | None | T170481 FY2017/18 Program 6 - Outcome 2 - Objective 2: Set up a continuous integration and deployment pipeline | |||
| Resolved | None | T157469 Mathoid CI Container Build | |||
| Resolved | • dduvall | T175297 Define new Jenkins pipeline for container build phase | |||
| Resolved | • dduvall | T176896 Establish secure way of passing registry credentials from Jenkins to Docker | |||
| Resolved | thcipriani | T175298 Secret storage on contint1001 for Docker registry password |
Event Timeline
Comment Actions
We can let puppet create the file with the right permissions and let it get the actual password from private repo, like we do with other passwords. If you can store the credentials on contint1001 and tell me where, i can add them to the private repo so that then puppet can use them (and write them to a file).
Comment Actions
We have bunch of credentials in https://integration.wikimedia.org/ci/credentials/ , they can then be exported as environment variables on a per job basis with https://docs.openstack.org/infra/jenkins-job-builder/wrappers.html#wrappers.credentials-binding
Extra care needs to be taken as to make sure the env variables are never shown. Tox for example would dump the environments variables on failure.
We could go with a puppet provisioned script, though any job running on the host would potentially be able to access the credentials. Though on contint1001 only publish jobs are being run, so that is more or less controlled.
Another possibility I have been talking about with Tyler is to setup a private Jenkins that would only be used for release purposes. That reduces the risk of leaking credentials via CI.