-
Story
-
Resolution: Done-Errata
-
Undefined
-
None
-
rhel-system-roles-1.78.1-0.1.el9
-
4
-
sst_system_roles
-
2
-
QE ack, Dev ack
-
False
-
-
Yes
-
Red Hat Enterprise Linux
-
System Roles Sprint 1, System Roles Sprint 2, System Roles Sprint 3, System Roles Sprint 4
-
Pass
-
None
-
Enhancement
-
-
Done
-
None
The role currently does not have a supported way to specify image registry credentials. The only way to specify image registry credentials are with the undocumented parameters container_image_user and container_image_password parameters. The recommended way to pass registry credentials is https://issues.redhat.com/browse/RHEL-30183. But for users who want to use username/password, we should officially support this.
New parameters - podman_registry_username and podman_registry_password which are the global defaults, and registry_username and registry_password which can be specified for each kube_spec or quadlet_spec, to override the global defaults. If the user specified container_image_user and not podman_registry_username, set podman_registry_username to container_image_user. If the user specified container_image_password and not podman_registry_password, set podman_registry_password to container_image_password.
.h3 Security
Must be able to specify passwords using Ansible Vault, and tests should test this with Vault.
Must use no_log: true on any task which could log the password value, and this should be verified.
.h3 Acceptance criteria
- User can specify credentials via podman_registry_username and podman_registry_password, and on a per-spec basis with registry_username and registry_password
- If user specifies container_image_user and not podman_registry_username, set podman_registry_username to container_image_user
- If user specifies container_image_password and not podman_registry_password, set podman_registry_password to container_image_password
- The new parameters are documented in the README.md
- The parameters container_image_user and container_image_password are marked as DEPRECATED in README.md
- There are tests for the new parameters
- The tests must use Ansible Vault encryption for the password parameters
- The test runs should be verified that no password values are logged
spetros@redhat.com nkinder@redhat.com rhn-support-briasmit vrothber@redhat.com
- links to
-
RHEA-2024:130467 rhel-system-roles bug fix and enhancement update