[10:52:39] <brouberol>	 cdanis: small bit of feedback about secret(<path>) in yaml values. Writing the password to the file in vim causes a newline to be added at the end by default (although not displayed when editing the file). A simple echo $val >, or f.write(pwd.strip()) work just fine
[12:53:05] <elukey>	 hey folks
[12:53:42] <elukey>	 I am getting back to adding the auth capabilities to docker-reporter to pull a mediawiki image on build nodes to run debmonitor on it
[12:54:12] <elukey>	 the simplest way afaics is to modify the registry's nginx config to allow the prod-build user to pull /restricted images
[12:54:49] <elukey>	 when I proposed this the first time I remember that Joe had some concerns, namely that prod-build may be used outside the buildXXXX hosts (in some CI workflow)
[12:55:24] <elukey>	 I've read https://phabricator.wikimedia.org/T273521 and I don't find any proof of that, nor code-searching it (https://codesearch.wmcloud.org/search/?q=prod-build&files=&excludeFiles=&repos=)
[12:55:35] <elukey>	 has anybody some context on it that I can review?
[12:56:02] <elukey>	 it is fine for me to create a dedicated user for the build hosts, even if 'prod-build' seemed the right one
[13:28:28] <elukey>	 opened https://phabricator.wikimedia.org/T404437
[13:46:03] <cdanis>	 brouberol: ahh, yeah, makes sense.  another option would be `secret().strip` in the puppet code itself
[13:56:00] <cdanis>	 I guess that doesn't help in the hiera though
[15:12:42] <brouberol>	 that's right. So, it's a bit of a gotcha to remember
[15:13:22] <cdanis>	 yeah.  I think it would be totally reasonable to extend wmflib to support a no-trailing-whitespace variant