For testing and building out the CD pipeline in toolsbeta, we need to have a separate docker-registry hosted by harbor.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | dcaro | T194332 [Epic] Make Toolforge a proper platform as a service with push-to-deploy and build packs | |||
Resolved | Bstorm | T265684 Figure out CI solution for building buildpack-based images for Toolforge | |||
Open | dcaro | T267374 Set up a Toolforge buildpack CI pipeline as a POC | |||
In Progress | dcaro | T267616 Set up docker-registry (harbor) in toolsbeta | |||
Resolved | Andrew | T267618 Request increased quota for toolsbeta Cloud VPS project |
Event Timeline
Mentioned in SAL (#wikimedia-cloud) [2020-11-10T18:27:06Z] <legoktm> creating toolsbeta-docker-imagebuilder-01 (T267616)
Change 707572 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: puppetize experimental base server for harbor
Change 707572 merged by Bstorm:
[operations/puppet@production] toolforge harbor: puppetize experimental base server for harbor
Ok, so I have a very nice https://goharbor.io server running in toolsbeta (using independent database auth for testing) https://harbor.toolsbeta.wmflabs.org
It has APIs for adding just about everything and has robot auth, etc. It grant plenty of flexibility for image management (even quotas).
It hooks up to LDAP, but that's not necessarily helpful here. I think to do this right, users need to not have direct push rights. That needs to be handled by another build service. However, with this, that service can easily run in k8s.
In order to deploy this to tools soon, I'm proposing replacing tools-docker-registry with harbor running in k8s. However, unless we deploy cinder for k8s, we'll be doing that with NFS storage.
I've deployed harbor in toolsbeta, however, I want to modify the deployment a bit before replacing docker-registry with it or putting it in tools.
Change 722664 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: install clients for redis and postgres
Change 722664 merged by Bstorm:
[operations/puppet@production] toolforge harbor: install clients for redis and postgres
Change 725048 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: add external postgres db
Using trove for Postgres in the most recent iteration is terrible. You cannot control it much, and it doesn't actually allow you access to the Postgres account to create a database. This means you can have exactly one database and user. I doubt the replication still works as well. Maybe it will be improved as they settle in to their more containerized setup.
Change 725048 merged by Bstorm:
[operations/puppet@production] toolforge harbor: add external postgres db
Change 726723 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge postgres: drop database tuning
Change 726723 merged by Bstorm:
[operations/puppet@production] toolforge postgres: drop database tuning
Change 727638 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: dockerize the config file and such
Change 727638 merged by Bstorm:
[operations/puppet@production] toolforge harbor: puppetize the install/compose config file and such
Change 728560 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: change the permissions a bit on the dir
Change 728560 merged by Bstorm:
[operations/puppet@production] toolforge harbor: change the permissions a bit on the dir
Change 728566 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: install docker-compose with puppet
Change 728566 merged by Bstorm:
[operations/puppet@production] toolforge harbor: install docker-compose with puppet
Change 728578 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: add small customization to prepare script here
Change 728578 abandoned by Bstorm:
[operations/puppet@production] toolforge harbor: add small customization to prepare script here
Reason:
changing approach
Change 728581 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: clean up the certs setup a bit better
Change 728581 merged by Bstorm:
[operations/puppet@production] toolforge harbor: clean up the certs setup a bit better
Change 728629 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] toolforge harbor: update certs with acmechief