For testing and building out the CD pipeline in toolsbeta, we need to have a separate docker-registry hosted by harbor.
|Open||dcaro||T194332 [Epic] Make Toolforge a proper platform as a service with push-to-deploy and build packs|
|Resolved||Bstorm||T265684 Figure out CI solution for building buildpack-based images for Toolforge|
|Open||dcaro||T267374 Set up a Toolforge buildpack CI pipeline as a POC|
|In Progress||dcaro||T267616 Set up docker-registry (harbor) in toolsbeta|
|Resolved||Andrew||T267618 Request increased quota for toolsbeta Cloud VPS project|
Ok, so I have a very nice https://goharbor.io server running in toolsbeta (using independent database auth for testing) https://harbor.toolsbeta.wmflabs.org
It has APIs for adding just about everything and has robot auth, etc. It grant plenty of flexibility for image management (even quotas).
It hooks up to LDAP, but that's not necessarily helpful here. I think to do this right, users need to not have direct push rights. That needs to be handled by another build service. However, with this, that service can easily run in k8s.
In order to deploy this to tools soon, I'm proposing replacing tools-docker-registry with harbor running in k8s. However, unless we deploy cinder for k8s, we'll be doing that with NFS storage.
Using trove for Postgres in the most recent iteration is terrible. You cannot control it much, and it doesn't actually allow you access to the Postgres account to create a database. This means you can have exactly one database and user. I doubt the replication still works as well. Maybe it will be improved as they settle in to their more containerized setup.