bk: use explicit docker login #5767

v1v · 2025-10-24T11:15:24Z

What is the problem this PR solves?

Help with fetching internal containers or from dockerhub without being affected by the rate limit or an invalid login in the VM images.

How to test this PR locally

In the CI, I ran manually:

https://buildkite.com/elastic/fleet-server-package-mbp/builds/2651

https://buildkite.com/elastic/fleet-server-package-mbp/builds/2665

Design Checklist

I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have made corresponding change to the default configuration files
I have added tests that prove my fix is effective or that my feature works
I have added an entry in ./changelog/fragments using the changelog tool

Related issues

#5455 moved to a golang docker image

help with fetching internal containers or from docker hub #5455 moved to a golang docker image help with issues with the rate limit help with configuring at runtime the docker login instead of using the cached one that could be invalid

prodsecmachine · 2025-10-24T11:15:35Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Licenses	0	0	0	0	0 issues
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

.buildkite/pipeline.package.mbp.yml

ebeahan · 2025-10-24T18:49:59Z

Added @ycombinator as a reviewer. @ycombinator - can you help confirm the FIPS needing both registries?

pkoutsovasilis

Aside the FIPS requirement, where @ycombinator can chime in, the other changes LGTM

fr4nc1sc0-r4m0n

LGTM

ycombinator · 2025-10-28T21:52:56Z

@v1v I'm trying to understand why the FIPS packaging steps in the BK pipeline need both Docker registries. Specifically, I'm trying to understand why the DockerHub registry is needed. If I look at the FROM instructions in https://github.com/elastic/fleet-server/blob/main/Dockerfile.fips, they're all pulling from the Elastic Docker registry. So, unless I missed something, I don't think we need to login to DockerHub for the FIPS packaging steps?

.buildkite/pipeline.package.mbp.yml

fr4nc1sc0-r4m0n

LGTM

github-actions · 2025-10-29T14:36:12Z

@Mergifyio backport 8.19 9.1 9.2

mergify · 2025-10-29T14:36:20Z

backport 8.19 9.1 9.2

✅ Backports have been created

#5785 [8.19](backport #5767) bk: use explicit docker login has been created for branch 8.19
#5786 [9.1](backport #5767) bk: use explicit docker login has been created for branch 9.1
#5787 [9.2](backport #5767) bk: use explicit docker login has been created for branch 9.2

(cherry picked from commit fe9dfc4)

v1v added 3 commits October 24, 2025 10:26

bk: use explicit docker login

8bfba0c

help with fetching internal containers or from docker hub #5455 moved to a golang docker image help with issues with the rate limit help with configuring at runtime the docker login instead of using the cached one that could be invalid

use our shared secret

2f62bff

fips uses docker elastic registry

294e93c

v1v added the backport-active-all Automated backport with mergify to all the active branches label Oct 24, 2025