Add support for authenticated registries

ehelms · ehelms · commit cf006d954d52 · 2025-12-04T08:04:25.000-05:00
diff --git a/docs/deployment.md b/docs/deployment.md
@@ -44,25 +44,27 @@ A deployment can have multiple base features enabled.
 
 ### Authenticated Registry Handling
 
-In the non-default case where the image sources are supplied from an authenticated location users will need to inject a login step.
-For example, users might be consuming a custom build of the Foreman image.
+If you need to pull images from private or authenticated container registries, you can configure registry authentication using Podman's auth file.
 
-In this case, the happy path becomes:
+#### Setting up Registry Authentication
 
-  1. Configure package repository
-  2. Install `foremanctl` package
-  3. Run deployment utility and provide registry username and token
+1. **Login to your registry** using Podman and save credentials to the default auth file location:
+```bash
+podman login <registry> --authfile=/etc/foreman/registry-auth.json
+```
 
-The advanced path breaks down to:
+2. **Ensure proper permissions** on the auth file:
+```bash
+sudo chmod 600 /etc/foreman/registry-auth.json
+sudo chown root:root /etc/foreman/registry-auth.json
+```
 
-  1. Configure package repository
-  2. Install `foremanctl` package
-  3. Login to registry with podman
-  3. Pull images
-  4. Generate certificates
-  5. Execute pre-requisite checks
-  6. Run deployment utility
-  7. Post deploy checks
+3. **Deploy as usual** - foremanctl will automatically detect and use the authentication file:
+```bash
+./foremanctl deploy
+```
+
+This approach integrates seamlessly with both the happy path and advanced deployment paths described above. The authentication is handled transparently during image pulling operations.
 
 ## Deployer Stages
 
diff --git a/src/roles/candlepin/defaults/main.yml b/src/roles/candlepin/defaults/main.yml
@@ -14,6 +14,7 @@ candlepin_ciphers:
   - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 candlepin_container_image: quay.io/foreman/candlepin
 candlepin_container_tag: "4.4.14"
+candlepin_registry_auth_file: /etc/foreman/registry-auth.json
 
 candlepin_database_host: localhost
 candlepin_database_port: 5432
diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml
@@ -51,10 +51,23 @@
   ansible.builtin.include_tasks:
     file: artemis.yml
 
+- name: Check if registry auth file exists
+  ansible.builtin.stat:
+    path: "{{ candlepin_registry_auth_file }}"
+  register: candlepin_registry_auth_file_stat
+
+- name: Set registry auth file permissions
+  ansible.builtin.file:
+    path: "{{ candlepin_registry_auth_file }}"
+    mode: '0600'
+  when: candlepin_registry_auth_file_stat.stat.exists
+
 - name: Pull the Candlepin container image
   containers.podman.podman_image:
     name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "{{ candlepin_registry_auth_file if candlepin_registry_auth_file_stat.stat.exists else omit }}"
 
 - name: Deploy Candlepin quadlet
   containers.podman.podman_container:
diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml
@@ -1,6 +1,7 @@
 ---
 foreman_container_image: "quay.io/foreman/foreman"
 foreman_container_tag: "nightly"
+foreman_registry_auth_file: /etc/foreman/registry-auth.json
 
 foreman_database_name: foreman
 foreman_database_user: foreman
diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml
@@ -1,8 +1,21 @@
 ---
+- name: Check if registry auth file exists
+  ansible.builtin.stat:
+    path: "{{ foreman_registry_auth_file }}"
+  register: foreman_registry_auth_file_stat
+
+- name: Set registry auth file permissions
+  ansible.builtin.file:
+    path: "{{ foreman_registry_auth_file }}"
+    mode: '0600'
+  when: foreman_registry_auth_file_stat.stat.exists
+
 - name: Pull the Foreman container image
   containers.podman.podman_image:
     name: "{{ foreman_container_image }}:{{ foreman_container_tag }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "{{ foreman_registry_auth_file if foreman_registry_auth_file_stat.stat.exists else omit }}"
 
 - name: Create secret for DATABASE_URL
   containers.podman.podman_secret:
@@ -226,6 +239,8 @@
     network: host
     env:
       FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}"
+    environment:
+      REGISTRY_AUTH_FILE: "{{ foreman_registry_auth_file if foreman_registry_auth_file_stat.stat.exists else omit }}"
     secrets:
       - 'foreman-database-url,type=env,target=DATABASE_URL'
       - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER'
diff --git a/src/roles/postgresql/defaults/main.yml b/src/roles/postgresql/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 postgresql_container_image: quay.io/sclorg/postgresql-13-c9s
 postgresql_container_tag: "latest"
+postgresql_registry_auth_file: /etc/foreman/registry-auth.json
 postgresql_container_name: postgresql
 postgresql_network: host
 postgresql_restart_policy: always
diff --git a/src/roles/postgresql/tasks/main.yml b/src/roles/postgresql/tasks/main.yml
@@ -1,8 +1,21 @@
 ---
+- name: Check if registry auth file exists
+  ansible.builtin.stat:
+    path: "{{ postgresql_registry_auth_file }}"
+  register: postgresql_registry_auth_file_stat
+
+- name: Set registry auth file permissions
+  ansible.builtin.file:
+    path: "{{ postgresql_registry_auth_file }}"
+    mode: '0600'
+  when: postgresql_registry_auth_file_stat.stat.exists
+
 - name: Pull PostgreSQL container image
   containers.podman.podman_image:
     name: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "{{ postgresql_registry_auth_file if postgresql_registry_auth_file_stat.stat.exists else omit }}"
 
 - name: Create PostgreSQL storage directory
   ansible.builtin.file:
diff --git a/src/roles/pre_install/tasks/main.yaml b/src/roles/pre_install/tasks/main.yaml
@@ -16,3 +16,11 @@
       - python3-libsemanage
       - python3-psycopg2
       - python3-requests
+
+- name: Create foreman configuration directory
+  ansible.builtin.file:
+    path: /etc/foreman
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
diff --git a/src/roles/pulp/defaults/main.yaml b/src/roles/pulp/defaults/main.yaml
@@ -1,6 +1,7 @@
 ---
 pulp_container_image: quay.io/foreman/pulp
 pulp_container_tag: "3.73"
+pulp_registry_auth_file: /etc/foreman/registry-auth.json
 pulp_api_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
 pulp_content_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
 pulp_worker_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
diff --git a/src/roles/pulp/tasks/main.yaml b/src/roles/pulp/tasks/main.yaml
@@ -1,17 +1,34 @@
+- name: Check if registry auth file exists
+  ansible.builtin.stat:
+    path: "{{ pulp_registry_auth_file }}"
+  register: pulp_registry_auth_file_stat
+
+- name: Set registry auth file permissions
+  ansible.builtin.file:
+    path: "{{ pulp_registry_auth_file }}"
+    mode: '0600'
+  when: pulp_registry_auth_file_stat.stat.exists
+
 - name: Pull the Pulp API container image
   containers.podman.podman_image:
     name: "{{ pulp_api_image }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file if pulp_registry_auth_file_stat.stat.exists else omit }}"
 
 - name: Pull the Pulp Content container image
   containers.podman.podman_image:
     name: "{{ pulp_content_image }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file if pulp_registry_auth_file_stat.stat.exists else omit }}"
 
 - name: Pull the Pulp Worker container image
   containers.podman.podman_image:
     name: "{{ pulp_worker_image }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file if pulp_registry_auth_file_stat.stat.exists else omit }}"
 
 - name: Create Pulp storage
   ansible.builtin.file:
@@ -199,6 +216,8 @@
     detach: false
     network: host
     volumes: "{{ pulp_volumes }}"
+    environment:
+      REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file if pulp_registry_auth_file_stat.stat.exists else omit }}"
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
@@ -212,6 +231,8 @@
     detach: false
     network: host
     volumes: "{{ pulp_volumes }}"
+    environment:
+      REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file if pulp_registry_auth_file_stat.stat.exists else omit }}"
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
diff --git a/src/roles/redis/defaults/main.yml b/src/roles/redis/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 redis_container_image: quay.io/sclorg/redis-6-c9s
 redis_container_tag: "latest"
+redis_registry_auth_file: /etc/foreman/registry-auth.json
diff --git a/src/roles/redis/tasks/main.yaml b/src/roles/redis/tasks/main.yaml
@@ -1,8 +1,21 @@
 ---
+- name: Check if registry auth file exists
+  ansible.builtin.stat:
+    path: "{{ redis_registry_auth_file }}"
+  register: redis_registry_auth_file_stat
+
+- name: Set registry auth file permissions
+  ansible.builtin.file:
+    path: "{{ redis_registry_auth_file }}"
+    mode: '0600'
+  when: redis_registry_auth_file_stat.stat.exists
+
 - name: Pull Redis container image
   containers.podman.podman_image:
     name: "{{ redis_container_image }}:{{ redis_container_tag }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "{{ redis_registry_auth_file if redis_registry_auth_file_stat.stat.exists else omit }}"
 
 - name: Create directory for Redis data
   ansible.builtin.file:
