As part of https://gerrit.wikimedia.org/r/664683 there is now a dedicated "ci-build" user that CI should use when pushing to docker-registry.wikimedia.org instead of the legacy generic "uploader" one.
I see it used in profile::ci::shipyard and will update that, but are the credentials anywhere else outside of puppet like in Jenkins?
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Legoktm | T275581 Phase out legacy "uploader" docker-registry.wikimedia.org user | |||
| Resolved | Legoktm | T275559 Switch CI docker usage to use dedicated "ci-build" account |
Change 666493 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/puppet@production] ci: Use dedicated "ci-build" account for docker-registry pushes
Change 666493 merged by Legoktm:
[operations/puppet@production] ci: Use dedicated "ci-build" account for docker-registry pushes
Change 666703 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/puppet@production] ci: Use dedicated "ci-build" account for docker-registry pushes (try #2)
Change 666703 merged by Legoktm:
[operations/puppet@production] ci: Use dedicated "ci-build" account for docker-registry pushes (try #2)
but are the credentials anywhere else outside of puppet like in Jenkins?
Can I just change the username and password in this?
We also keep these creds in our password store (my memory of why is that it's a pain to decrypt later). I can update that credential if you want to pair up for a quick key signing.
You should be able to obtain the password for the "ci-build" user in /etc/docker-pkg/integration.yaml on contint2001.
Mentioned in SAL (#wikimedia-releng) [2021-02-26T01:11:24Z] <legoktm> update credentials in https://integration.wikimedia.org/ci/credentials/store/system/domain/service-pipeline/credential/docker-registry-uploader/ for new ci-build user (T275559)
Tested that pushing to the registry still works with https://integration.wikimedia.org/ci/job/blubber-pipeline-publish/47/console
Should be all set now on the CI side!