You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
The Docker registry also accepts authorization using JSON Web Tokens. This option was introduced to allow Trusted GitLab Runners to push images to the registry during CI builds (T308501). nginx on the registry is configured to accept jwt from a list of allowed IPs (
Furthermore a dedicated daemon is executed to handle the jwt validation. This daemon is a go application hosted under https://gitlab.wikimedia.org/repos/releng/jwt-authorizer.
Building a new version
Building jwt-authorizer mostly follows the standard Debian Packaging workflow. jwt-authorizer needs golang >=1.16, so currently
DIST=bullseye-backports is used and the import on apt needs a additional ignore parameter:
- checkout the git repo on the build host as your user (see Debian Packaging for current buildhost,
build2001.codfw.wmnetas of today)
- change to the jwt-authorizer folder:
# on build2001 cd jwt-authorizer
- build the package as your user:
# on build2001 DIST=bullseye-backports pdebuild
Publish a new version
The newly build version has to be synced to apt host (
apt1001.wikimedia.org as of today):
# on apt1001 rsync -vaz build2001.codfw.wmnet::pbuilder-result/bullseye-amd64/*<PACKAGE VERSION>* .
Next the package has to be loaded with reprepro:
# on apt1001 sudo -i reprepro -C main --ignore=wrongdistribution include bullseye-wikimedia /path/to/<PACKAGE>.changes
Now check if the new version is available:
# on apt1001 sudo -i reprepro lsbycomponent jwt-authorizer
Log the change to SAL
!log "Imported jwt-authorizer <PACKAGE VERSION> to bullseye-wikimedia"
This page is a part of the SRE Service Operations - Collaboration technical documentation
(go here for a list of all our pages)