Add support for authenticated registries

Signed-off-by: Eric D. Helms <[email protected]>

Author: ehelms

docs/deployment.md

@@ -44,25 +44,27 @@ A deployment can have multiple base features enabled.
 
 ### Authenticated Registry Handling
 
-In the non-default case where the image sources are supplied from an authenticated location users will need to inject a login step.
-For example, users might be consuming a custom build of the Foreman image.
+If you need to pull images from private or authenticated container registries, you can configure registry authentication using Podman's auth file.
 
-In this case, the happy path becomes:
+#### Setting up Registry Authentication
 
-  1. Configure package repository
-  2. Install `foremanctl` package
-  3. Run deployment utility and provide registry username and token
+1. **Login to your registry** using Podman and save credentials to the default auth file location:
+```bash
+podman login <registry> --authfile=/etc/foreman/registry-auth.json
+```
 
-The advanced path breaks down to:
+2. **Ensure proper permissions** on the auth file:
+```bash
+sudo chmod 600 /etc/foreman/registry-auth.json
+sudo chown root:root /etc/foreman/registry-auth.json
+```
 
-  1. Configure package repository
-  2. Install `foremanctl` package
-  3. Login to registry with podman
-  3. Pull images
-  4. Generate certificates
-  5. Execute pre-requisite checks
-  6. Run deployment utility
-  7. Post deploy checks
+3. **Deploy as usual** - foremanctl will automatically detect and use the authentication file:
+```bash
+./foremanctl deploy
+```
+
+This approach integrates seamlessly with both the happy path and advanced deployment paths described above. The authentication is handled transparently during image pulling operations.
 
 ## Deployer Stages
 

src/roles/candlepin/defaults/main.yml

@@ -14,6 +14,7 @@ candlepin_ciphers:
   - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 candlepin_container_image: quay.io/foreman/candlepin
 candlepin_container_tag: "4.4.14"
+candlepin_registry_auth_file: /etc/foreman/registry-auth.json
 
 candlepin_database_host: localhost
 candlepin_database_port: 5432

src/roles/candlepin/tasks/main.yml

@@ -55,6 +55,8 @@
   containers.podman.podman_image:
     name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json"
 
 - name: Deploy Candlepin quadlet
   containers.podman.podman_container:

src/roles/foreman/defaults/main.yaml

@@ -1,6 +1,7 @@
 ---
 foreman_container_image: "quay.io/foreman/foreman"
 foreman_container_tag: "nightly"
+foreman_registry_auth_file: /etc/foreman/registry-auth.json
 
 foreman_database_name: foreman
 foreman_database_user: foreman

src/roles/foreman/tasks/main.yaml

@@ -3,6 +3,8 @@
   containers.podman.podman_image:
     name: "{{ foreman_container_image }}:{{ foreman_container_tag }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json"
 
 - name: Create secret for DATABASE_URL
   containers.podman.podman_secret:
@@ -224,8 +226,7 @@
       - bin/rails db:migrate && bin/rails db:seed
     detach: false
     network: host
-    env:
-      FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}"
+    env: "{{ {'FOREMAN_ENABLED_PLUGINS': foreman_plugins | join(' ')} | combine({'REGISTRY_AUTH_FILE': '/etc/foreman/registry-auth.json'}) }}"
     secrets:
       - 'foreman-database-url,type=env,target=DATABASE_URL'
       - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER'

src/roles/postgresql/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 postgresql_container_image: quay.io/sclorg/postgresql-13-c9s
 postgresql_container_tag: "latest"
+postgresql_registry_auth_file: /etc/foreman/registry-auth.json
 postgresql_container_name: postgresql
 postgresql_network: host
 postgresql_restart_policy: always

src/roles/postgresql/tasks/main.yml

@@ -3,6 +3,8 @@
   containers.podman.podman_image:
     name: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json"
 
 - name: Create PostgreSQL storage directory
   ansible.builtin.file:

src/roles/pre_install/tasks/main.yaml

@@ -16,3 +16,11 @@
       - python3-libsemanage
       - python3-psycopg2
       - python3-requests
+
+- name: Create foreman configuration directory
+  ansible.builtin.file:
+    path: /etc/foreman
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'

src/roles/pulp/defaults/main.yaml

@@ -1,6 +1,7 @@
 ---
 pulp_container_image: quay.io/foreman/pulp
 pulp_container_tag: "3.73"
+pulp_registry_auth_file: /etc/foreman/registry-auth.json
 pulp_api_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
 pulp_content_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
 pulp_worker_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"

src/roles/pulp/tasks/main.yaml

@@ -1,17 +1,24 @@
+---
 - name: Pull the Pulp API container image
   containers.podman.podman_image:
     name: "{{ pulp_api_image }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json"
 
 - name: Pull the Pulp Content container image
   containers.podman.podman_image:
     name: "{{ pulp_content_image }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json"
 
 - name: Pull the Pulp Worker container image
   containers.podman.podman_image:
     name: "{{ pulp_worker_image }}"
     state: present
+  environment:
+    REGISTRY_AUTH_FILE: "/etc/foreman/registry-auth.json"
 
 - name: Create Pulp storage
   ansible.builtin.file:
@@ -202,7 +209,7 @@
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
-    env: "{{ pulp_settings_database_env }}"
+    env: "{{ pulp_settings_database_env | combine({'REGISTRY_AUTH_FILE': '/etc/foreman/registry-auth.json'}) }}"
 
 - name: Ensure Pulp admin user exists
   containers.podman.podman_container:
@@ -215,7 +222,7 @@
     secrets:
       - 'pulp-symmetric-key,type=mount,target=/etc/pulp/certs/database_fields.symmetric.key'
       - 'pulp-db-password,type=env,target=PULP_DATABASES__default__PASSWORD'
-    env: "{{ pulp_settings_database_env }}"
+    env: "{{ pulp_settings_database_env | combine({'REGISTRY_AUTH_FILE': '/etc/foreman/registry-auth.json'}) }}"
 
 - name: Flush handlers to restart services
   ansible.builtin.meta: flush_handlers