New WMF docker registry credentials
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	DPogorzelski-WMF
	Dec 12 2025, 2:18 PM

Description

We are in the process of setting up a dedicated build machine for the ML team and I reached the stage where I would like to push images to the WMF registry. for that purpose I would need a new set of credentials specific to the team/machine that shouldn't be able to push to the /restricted namespace.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
docker registry: add ml build user password	operations/puppet	production	+126 -0
docker registry: add ml build user password	operations/puppet	production	+126 -0
scap: add ml-build1001 to the scap targets	operations/docker-images/docker-pkg/deploy	master	+3 -1
docker_registry: allow ml-build1001	operations/puppet	production	+1 -0

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		DPogorzelski-WMF	T394778 Build and push images to the docker registry from ml-lab
		Resolved		DPogorzelski-WMF	T412524 New WMF docker registry credentials

Event Timeline

DPogorzelski-WMF created this task.Dec 12 2025, 2:18 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 12 2025, 2:18 PM

Marostegui triaged this task as Medium priority.Dec 15 2025, 6:16 AM

Marostegui added a project: serviceops-deprecated.

elukey added a parent task: T394778: Build and push images to the docker registry from ml-lab.Dec 15 2025, 8:13 AM

High level things to do afaics:

Our current strategy so far has been to add docker credentials to the root's home directory, essentially to limit the users that can push images. The builder's profile for example has the following snipped (taking passwords from puppet private):

docker::credentials { '/root/.docker/config.json':
    owner             => 'root',
    group             => 'root',
    registry          => $registry,
    registry_username => 'prod-build',
    registry_password => $password,
}

So if the ML builder role follows the same strategy, a profile under it will need to add the same snipped. The credentials used will be the same set on the Docker registry as well.

The hiera key profile::docker_registry::image_builders for the docker registry's role need to be updated with ml-build1001's IP. Nginx has a special config to allow a host to correctly push images to the registry following the right protocol, but for complicated reasons we need to explicitly list IPs (more info in the nginx's comments if you are curious).

The class docker_registry::web currently holds all the allowed accounts. It basically sets the htpasswd files for nginx to use in its config, so in theory it should be sufficient to add the new ml user to the file /etc/nginx/regular-push.htpasswd.

Last but not least, I think we'd need to discuss in the K8s SIG channel what images will be pushed and how. If the scope is production images like https://gerrit.wikimedia.org/r/c/operations/docker-images/production-images/+/1146891, IMHO we'd need to figure out a new namespace or a way to prevent docker-pkg to push any image saved in the repo to the registry, since it may clash with what the build2xxx hosts do daily.

Change #1218707 had a related patch set uploaded (by Dpogorzelski; author: Dpogorzelski):

[operations/puppet@production] docker_registry: allow ml-build1001

https://gerrit.wikimedia.org/r/1218707

gerritbot added a project: Patch-For-Review.Dec 16 2025, 8:39 AM

Change #1218707 merged by Dpogorzelski:

[operations/puppet@production] docker_registry: allow ml-build1001

https://gerrit.wikimedia.org/r/1218707

Maintenance_bot removed a project: Patch-For-Review.Dec 16 2025, 1:31 PM

Change #1219114 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/docker-images/docker-pkg/deploy@master] scap: add ml-build1001 to the scap targets

https://gerrit.wikimedia.org/r/1219114

gerritbot added a project: Patch-For-Review.Dec 17 2025, 8:26 AM