Staged release process for security releases

[timja]

#1149 (comment)

TODO design

[timja]

@daniel-beck are you able to create a private docker registry on repo.jenkins-ci.org please?

If you can create a user that can push to it and create a username / password credential on trusted CI that would be great, or let me know a credential id that can already push.

[daniel-beck]

For testing, you can use timja. (I can create a new one if you prefer.)

After creating the repo, the instructions from Artifactory were the following:

[timja]

ugh that's a problem I remember from when we hosted our own artifactory instance.

Given it's a hosted instance this is even worse.

I assume we need an SSL certificate sent to jfrog to do this? (probably a SAN cert for repo.jenkins-ci.org and docker-staging.repo.jenkins-ci.org).

We asked them last time about using lets encrypt which they seemed lost on.

Any thoughts @olblak @dduportal @lemeurherve ?

Or should we look at using something else maybe just an AWS / azure registry?

Azure basic tier would be $5 a month or Azure standard $20.

AWS looks basically free with the amount we would be using this (staging for security releases only)?

[lemeurherve]

For docker images, how about using github to also host them?

[timja]

That might work actually, from what I can tell they default to private and that's what we're after here:
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry

There's a separate issue for mirroring the images to github registry as well:
#1140