It would be useful to have somewhere to host docker images created by WMDE that are not designed for use in production at WMF.
A separate namespace for docker images created by WMDE might be the way to go to ensure that they aren't accidentally deployed to the production k8s cluster.
The initial use-case for this could be to have somewhere to distribute docker images of Wikibase and related software (e.g. the queryservice). WMDE currently produces these images and puts them on dockerhub but it might, in some respects, be better to have them at docker-registry.wikimedia.org.
It would also be useful to determine the rules surrounding the images that could be placed here. For example
- what provenience of the base images would be required? (would this be more relaxed if they couldn't go to production)
Below follows IRC logs of a discussion about this topic from 2020-11-20 in #wikimedia-serviceops
[11:04:33] <addshore> o/ Hey all! At the last tech conf (or whatever) I talked with one of you about wmde / wikibase having a namespace in the main docker registry. Few questions 1) is that still okay? 2) what are the requirements for images that are there? [11:04:56] <addshore> I remember at the time I was told that we could bu things there that didn't necessarily use the wmf base images, does that still hold true? [11:05:20] <addshore> And are there requirements for where these images are built, like, must be WMF CI? or can we be more flexible in our own namespace? [11:28:00] * apergos peeks in, interested in the answers also [11:31:15] <jayme> not a 100%, but my understanding is that (with very rare exceptions) we want to only allow images build ourselves to be pushed to the registry [11:33:11] <addshore> Is there some list of / documented reasons for that and also notes on the restrictions? [11:33:33] <addshore> If they are too much we will likely just end up using some other docker registry [11:36:11] <jayme> Not that I know of, sorry. My reasoning comes from the fact that we try to limit what is allowed to be run in the kubernetes clusters by only allowing docker images from our registry to be run...but that ofc. would also include CI images etc. so that might be more like a weak limitation [11:36:35] <jayme> akosiaris can maybe shed some light if there are some hard rules... [11:46:57] <addshore> Indeed and I 100% agree that you shouldnt run these images in prod k8s clusters :) from my vauge memory that is what the namespaces may have been useful for [11:47:14] <addshore> yes, this is mostly the same case as releng images, that we shouldnt run in prod [12:04:35] <jayme> indeed, but I don't think we're currently limiting any furter that "allow just our registry" [12:05:29] <addshore> Is the best place for this to continue a phab ticket? (perhaps I'll wait until the end of the day and see if other people want to chime in here otherwise make one) [12:08:28] <jayme> A task would be good to keep the discussion more permanent in any case!