For testing and building out the CD pipeline in toolsbeta, we need to have a separate docker-registry and image builder rather than relying on the main Toolforge one.
|Open||None||T194332 [Epic] Make Toolforge a proper platform as a service with push-to-deploy and build packs|
|Resolved||Bstorm||T265684 Figure out CI solution for building buildpack-based images for Toolforge|
|Open||Bstorm||T267374 Set up a Toolforge buildpack CI pipeline as a POC|
|Open||Bstorm||T267616 Set up docker-registry and image builder infra in toolsbeta|
|Resolved||Andrew||T267618 Request increased quota for toolsbeta Cloud VPS project|
Ok, so I have a very nice https://goharbor.io server running in toolsbeta (using independent database auth for testing) https://harbor.toolsbeta.wmflabs.org
It has APIs for adding just about everything and has robot auth, etc. It grant plenty of flexibility for image management (even quotas).
It hooks up to LDAP, but that's not necessarily helpful here. I think to do this right, users need to not have direct push rights. That needs to be handled by another build service. However, with this, that service can easily run in k8s.
In order to deploy this to tools soon, I'm proposing replacing tools-docker-registry with harbor running in k8s. However, unless we deploy cinder for k8s, we'll be doing that with NFS storage.