Add support for authenticated registries

Signed-off-by: Eric D. Helms <[email protected]>

Author: ehelms

docs/installation.md

@@ -0,0 +1,23 @@
+# Foreman Installation Guide
+
+## Authenticated Registry
+
+If you need to pull images from private or authenticated container registries, you can configure registry authentication using Podman's auth file.
+
+### Setting up Registry Authentication
+
+1. **Login to your registry** using Podman and save credentials to the default auth file location:
+   ```bash
+   podman login <registry> --authfile=/etc/foreman/registry-auth.json
+   ```
+
+2. **Ensure proper permissions** on the auth file:
+   ```bash
+   sudo chmod 600 /etc/foreman/registry-auth.json
+   sudo chown root:root /etc/foreman/registry-auth.json
+   ```
+
+3. **Deploy as usual** - foremanctl will automatically detect and use the authentication file:
+   ```bash
+   ./foremanctl deploy
+   ```

src/playbooks/deploy/deploy.yaml

@@ -9,7 +9,6 @@
     - "../../vars/images.yml"
     - "../../vars/database.yml"
     - "../../vars/foreman.yml"
-
   vars:
     certificates_hostnames:
       - "{{ ansible_fqdn }}"
@@ -54,6 +53,7 @@
           - python3-requests
   roles:
     - role: checks
+    - pre_install
     - role: certificates
       when: "certificate_source == 'default'"
     - role: certificate_checks

src/playbooks/pull-images/pull-images.yaml

@@ -12,14 +12,27 @@
         name:
           - podman
 
+    - name: Check if auth file exists
+      ansible.builtin.stat:
+        path: "{{ registry_auth_file }}"
+      register: registry_auth_file_stat
+      when: registry_auth_file is defined and registry_auth_file | length > 0
+
+    - name: Set auth file variable if exists
+      ansible.builtin.set_fact:
+        auth_file: "{{ registry_auth_file }}"
+      when: registry_auth_file is defined and registry_auth_file_stat.stat.exists | default(false)
+
     - name: Pull an image
       containers.podman.podman_image:
         name: "{{ item }}"
+        auth_file: "{{ auth_file | default(omit) }}"
       loop: "{{ images }}"
 
     - name: Pull database images
       containers.podman.podman_image:
         name: "{{ item }}"
+        auth_file: "{{ auth_file | default(omit) }}"
       loop: "{{ database_images }}"
       when:
         - database_mode == 'internal'

src/roles/candlepin/defaults/main.yml

@@ -14,6 +14,7 @@ candlepin_ciphers:
   - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 candlepin_container_image: quay.io/foreman/candlepin
 candlepin_container_tag: "4.4.14"
+candlepin_registry_auth_file: /etc/foreman/registry-auth.json
 
 candlepin_database_host: localhost
 candlepin_database_port: 5432

src/roles/candlepin/tasks/main.yml

@@ -45,10 +45,22 @@
   ansible.builtin.include_tasks:
     file: artemis.yml
 
+- name: Check if auth file exists
+  ansible.builtin.stat:
+    path: "{{ candlepin_registry_auth_file }}"
+  register: candlepin_auth_file_stat
+  when: candlepin_registry_auth_file is defined and candlepin_registry_auth_file | length > 0
+
+- name: Set auth file variable if exists
+  ansible.builtin.set_fact:
+    candlepin_auth_file: "{{ candlepin_registry_auth_file }}"
+  when: candlepin_registry_auth_file is defined and candlepin_auth_file_stat.stat.exists | default(false)
+
 - name: Pull the Candlepin container image
   containers.podman.podman_image:
     name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}"
     state: present
+    auth_file: "{{ candlepin_auth_file | default(omit) }}"
 
 - name: Deploy Candlepin quadlet
   containers.podman.podman_container:
@@ -57,6 +69,8 @@
     state: quadlet
     network: host
     hostname: "{{ ansible_fqdn }}"
+    env:
+      REGISTRY_AUTH_FILE: "{{ candlepin_auth_file | default(omit) }}"
     secrets:
       - 'candlepin-ca-cert,target=/etc/candlepin/certs/candlepin-ca.crt,mode=0440,type=mount'
       - 'candlepin-ca-key,target=/etc/candlepin/certs/candlepin-ca.key,mode=0440,type=mount'

src/roles/foreman/defaults/main.yaml

@@ -1,6 +1,7 @@
 ---
 foreman_container_image: "quay.io/foreman/foreman"
 foreman_container_tag: "nightly"
+foreman_registry_auth_file: /etc/foreman/registry-auth.json
 
 foreman_database_name: foreman
 foreman_database_user: foreman

src/roles/foreman/tasks/main.yaml

@@ -1,8 +1,20 @@
 ---
+- name: Check if auth file exists
+  ansible.builtin.stat:
+    path: "{{ foreman_registry_auth_file }}"
+  register: foreman_auth_file_stat
+  when: foreman_registry_auth_file is defined and foreman_registry_auth_file | length > 0
+
+- name: Set auth file variable if exists
+  ansible.builtin.set_fact:
+    foreman_auth_file: "{{ foreman_registry_auth_file }}"
+  when: foreman_registry_auth_file is defined and foreman_auth_file_stat.stat.exists | default(false)
+
 - name: Pull the Foreman container image
   containers.podman.podman_image:
     name: "{{ foreman_container_image }}:{{ foreman_container_tag }}"
     state: present
+    auth_file: "{{ foreman_auth_file | default(omit) }}"
 
 - name: Create secret for DATABASE_URL
   containers.podman.podman_secret:
@@ -63,6 +75,7 @@
     env:
       SEED_ADMIN_USER: "{{ foreman_initial_admin_username }}"
       SEED_ADMIN_PASSWORD: "{{ foreman_initial_admin_password }}"
+      REGISTRY_AUTH_FILE: "{{ foreman_auth_file | default(omit) }}"
     quadlet_options:
       - |
         [Install]
@@ -88,6 +101,7 @@
       DYNFLOW_SIDEKIQ_SCRIPT: "/usr/share/foreman/extras/dynflow-sidekiq.rb"
       DYNFLOW_REDIS_URL: "redis://localhost:6379/6"
       REDIS_PROVIDER: "DYNFLOW_REDIS_URL"
+      REGISTRY_AUTH_FILE: "{{ foreman_auth_file | default(omit) }}"
     command: "/usr/libexec/foreman/sidekiq-selinux -e production -r /usr/share/foreman/extras/dynflow-sidekiq.rb -C /etc/foreman/dynflow/%i.yml"
     quadlet_options:
       - |

src/roles/postgresql/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 postgresql_container_image: quay.io/sclorg/postgresql-13-c9s
 postgresql_container_tag: "latest"
+postgresql_registry_auth_file: /etc/foreman/registry-auth.json
 postgresql_container_name: postgresql
 postgresql_network: host
 postgresql_restart_policy: always

src/roles/postgresql/tasks/main.yml

@@ -1,8 +1,20 @@
 ---
+- name: Check if auth file exists
+  ansible.builtin.stat:
+    path: "{{ postgresql_registry_auth_file }}"
+  register: postgresql_auth_file_stat
+  when: postgresql_registry_auth_file is defined and postgresql_registry_auth_file | length > 0
+
+- name: Set auth file variable if exists
+  ansible.builtin.set_fact:
+    postgresql_auth_file: "{{ postgresql_registry_auth_file }}"
+  when: postgresql_registry_auth_file is defined and postgresql_auth_file_stat.stat.exists | default(false)
+
 - name: Pull PostgreSQL container image
   containers.podman.podman_image:
     name: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}"
     state: present
+    auth_file: "{{ postgresql_auth_file | default(omit) }}"
 
 - name: Create PostgreSQL storage directory
   ansible.builtin.file:
@@ -29,6 +41,8 @@
       - "{{ postgresql_data_dir }}:/var/lib/pgsql/data:Z"
     secrets:
       - 'postgresql_admin_password,target=POSTGRESQL_ADMIN_PASSWORD,type=env'
+    env:
+      REGISTRY_AUTH_FILE: "{{ postgresql_auth_file | default(omit) }}"
     quadlet_options:
       - |
         [Install]

src/roles/pre_install/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Create /etc/foreman directory
+  ansible.builtin.file:
+    path: /etc/foreman
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root