Wikimedia Release Engineering Team/Deployment pipeline/2017-10-03

Last Time

 * 2017-09-19
 * 2017-08-30

RelEng

 * Blubber in ci (just saw Giuseppe made a patch, thanks!)
 * Service pipline job: https://integration.wikimedia.org/ci/job/service-pipeline/
 * Stumbling blocks:
 * Establish secure way of passing registry credentials from Jenkins to Docker
 * docker login uses ~/.docker/config.yaml
 * problematic for ci since users are shared between jobs, can work around with labels but that's shitty
 * wrapper script that has access to a root 400 creds and do docker push from contint1001
 * Namespace?

Ops

 * First draft of design document https://wikitech.wikimedia.org/wiki/Streamlined_Service_Delivery_Design
 * Add stuff !!! Some sections are still empty

question: what happens when someone posts a malicious change?

 * Do we build and push the container?
 * tyler/marko: Only build and push on CI +2
 * marko: Should run a subset of tests based on an upload
 * tyler: current setup has jenkins +1 for unknowns, jenkins +2 for known, and CR +2 tests
 * dan: issue of trust (what's being submitted), issue of atomicity -- shitty concurrency
 * joe: staging cluster is +2 from user and pipeline, possibly also have integration e2e tests before deployment
 * dan +1 -- is there something that's needed for pre-merge?
 * alex: maybe not e2e tests on staging
 * joe: maybe use a namespaces/tags to control push
 * dan: feedback loop is much wider if we're running e2e tests post-merge

Services

 * none (yet)

= As Always =
 * Release Pipeline Workboard
 * Meeting notes