Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-30185

podman role should support default credentials and per-unit credentials

    • rhel-system-roles-1.78.1-0.1.el9
    • 4
    • rhel-sst-system-roles
    • 2
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • System Roles Sprint 1, System Roles Sprint 2, System Roles Sprint 3, System Roles Sprint 4
    • Enhancement
    • Hide
      .New variables in the `podman` RHEL system role: `podman_registry_username` and `podman_registry_password`

      The `podman` RHEL system role now enables you to specify the container image registry credentials either globally or on a per-specification basis. For that purpose, you must configure both role variables:

      * `podman_registry_username` (string, defaults to unset): Configures the username for authentication with the container image registry. You must also set the `podman_registry_password` variable. You can override `podman_registry_username` on a per-specification basis with the `registry_username` variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification.

      * `podman_registry_password` (string, defaults to unset): Configures the password for authentication with the container image registry. You must also set the `podman_registry_username` variable. You can override `podman_registry_password` on a per-specification basis with the `registry_password` variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification. For security, encrypt the password using the Ansible Vault feature.

      As a result, you can use the `podman` RHEL system role to manage containers with images, whose registries require authentication for access.

      For more details, see the resources in the `/usr/share/doc/rhel-system-roles/podman/` directory.
      Show
      .New variables in the `podman` RHEL system role: `podman_registry_username` and `podman_registry_password` The `podman` RHEL system role now enables you to specify the container image registry credentials either globally or on a per-specification basis. For that purpose, you must configure both role variables: * `podman_registry_username` (string, defaults to unset): Configures the username for authentication with the container image registry. You must also set the `podman_registry_password` variable. You can override `podman_registry_username` on a per-specification basis with the `registry_username` variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification. * `podman_registry_password` (string, defaults to unset): Configures the password for authentication with the container image registry. You must also set the `podman_registry_username` variable. You can override `podman_registry_password` on a per-specification basis with the `registry_password` variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification. For security, encrypt the password using the Ansible Vault feature. As a result, you can use the `podman` RHEL system role to manage containers with images, whose registries require authentication for access. For more details, see the resources in the `/usr/share/doc/rhel-system-roles/podman/` directory.
    • Done
    • None

      The role currently does not have a supported way to specify image registry credentials. The only way to specify image registry credentials are with the undocumented parameters container_image_user and container_image_password parameters. The recommended way to pass registry credentials is https://issues.redhat.com/browse/RHEL-30183. But for users who want to use username/password, we should officially support this.

      New parameters - podman_registry_username and podman_registry_password which are the global defaults, and registry_username and registry_password which can be specified for each kube_spec or quadlet_spec, to override the global defaults. If the user specified container_image_user and not podman_registry_username, set podman_registry_username to container_image_user. If the user specified container_image_password and not podman_registry_password, set podman_registry_password to container_image_password.

      .h3 Security

      Must be able to specify passwords using Ansible Vault, and tests should test this with Vault.
      Must use no_log: true on any task which could log the password value, and this should be verified.

      .h3 Acceptance criteria

      • User can specify credentials via podman_registry_username and podman_registry_password, and on a per-spec basis with registry_username and registry_password
      • If user specifies container_image_user and not podman_registry_username, set podman_registry_username to container_image_user
      • If user specifies container_image_password and not podman_registry_password, set podman_registry_password to container_image_password
      • The new parameters are documented in the README.md
      • The parameters container_image_user and container_image_password are marked as DEPRECATED in README.md
      • There are tests for the new parameters
      • The tests must use Ansible Vault encryption for the password parameters
      • The test runs should be verified that no password values are logged

      spetros@redhat.com nkinder@redhat.com rhn-support-briasmit vrothber@redhat.com

              rmeggins@redhat.com Richard Megginson
              rmeggins@redhat.com Richard Megginson
              Richard Megginson Richard Megginson
              David Jez David Jez
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: