diff --git a/docs/deployment.md b/docs/deployment.md index 3efd1f8f..c7bb5f32 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -44,25 +44,27 @@ A deployment can have multiple base features enabled. ### Authenticated Registry Handling -In the non-default case where the image sources are supplied from an authenticated location users will need to inject a login step. -For example, users might be consuming a custom build of the Foreman image. +If you need to pull images from private or authenticated container registries, you can configure registry authentication using Podman's auth file. -In this case, the happy path becomes: +#### Setting up Registry Authentication - 1. Configure package repository - 2. Install `foremanctl` package - 3. Run deployment utility and provide registry username and token +1. **Login to your registry** using Podman and save credentials to the default auth file location: +```bash +podman login --authfile=/etc/foreman/registry-auth.json +``` -The advanced path breaks down to: +2. **Ensure proper permissions** on the auth file: +```bash +sudo chmod 600 /etc/foreman/registry-auth.json +sudo chown root:root /etc/foreman/registry-auth.json +``` - 1. Configure package repository - 2. Install `foremanctl` package - 3. Login to registry with podman - 3. Pull images - 4. Generate certificates - 5. Execute pre-requisite checks - 6. Run deployment utility - 7. Post deploy checks +3. **Deploy as usual** - foremanctl will automatically detect and use the authentication file: +```bash +./foremanctl deploy +``` + +This approach integrates seamlessly with both the happy path and advanced deployment paths described above. The authentication is handled transparently during image pulling operations. ## Deployer Stages diff --git a/src/playbooks/pull-images/pull-images.yaml b/src/playbooks/pull-images/pull-images.yaml index fff77f6e..3eb4e74d 100644 --- a/src/playbooks/pull-images/pull-images.yaml +++ b/src/playbooks/pull-images/pull-images.yaml @@ -8,20 +8,21 @@ - "../../vars/images.yml" - "../../vars/base.yaml" become: true - tasks: - - name: Install podman - ansible.builtin.package: - name: - - podman - + roles: + - role: pre_install + post_tasks: - name: Pull an image containers.podman.podman_image: name: "{{ item }}" + environment: + REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" loop: "{{ images }}" - name: Pull foreman_proxy images containers.podman.podman_image: name: "{{ item }}" + environment: + REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" loop: "{{ foreman_proxy_images }}" when: - "'foreman-proxy' in enabled_features" @@ -29,6 +30,8 @@ - name: Pull database images containers.podman.podman_image: name: "{{ item }}" + environment: + REGISTRY_AUTH_FILE: "{{ registry_auth_file }}" loop: "{{ database_images }}" when: - database_mode == 'internal' diff --git a/src/roles/candlepin/defaults/main.yml b/src/roles/candlepin/defaults/main.yml index f2ecb26c..a83fc934 100644 --- a/src/roles/candlepin/defaults/main.yml +++ b/src/roles/candlepin/defaults/main.yml @@ -14,6 +14,7 @@ candlepin_ciphers: - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 candlepin_container_image: quay.io/foreman/candlepin candlepin_container_tag: "4.4.14" +candlepin_registry_auth_file: /etc/foreman/registry-auth.json candlepin_database_host: localhost candlepin_database_port: 5432 diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml index a3c1f88f..92bf76a1 100644 --- a/src/roles/candlepin/tasks/main.yml +++ b/src/roles/candlepin/tasks/main.yml @@ -55,6 +55,8 @@ containers.podman.podman_image: name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ candlepin_registry_auth_file }}" - name: Deploy Candlepin quadlet containers.podman.podman_container: diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml index 05118761..7b9ac28d 100644 --- a/src/roles/foreman/defaults/main.yaml +++ b/src/roles/foreman/defaults/main.yaml @@ -1,6 +1,7 @@ --- foreman_container_image: "quay.io/foreman/foreman" foreman_container_tag: "nightly" +foreman_registry_auth_file: /etc/foreman/registry-auth.json foreman_database_name: foreman foreman_database_user: foreman diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml index d2f8c061..be09b5be 100644 --- a/src/roles/foreman/tasks/main.yaml +++ b/src/roles/foreman/tasks/main.yaml @@ -3,6 +3,8 @@ containers.podman.podman_image: name: "{{ foreman_container_image }}:{{ foreman_container_tag }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ foreman_registry_auth_file }}" - name: Create secret for DATABASE_URL containers.podman.podman_secret: @@ -224,8 +226,7 @@ - bin/rails db:migrate && bin/rails db:seed detach: false network: host - env: - FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}" + env: "{{ {'FOREMAN_ENABLED_PLUGINS': foreman_plugins | join(' ')} }}" secrets: - 'foreman-database-url,type=env,target=DATABASE_URL' - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER' diff --git a/src/roles/foreman_proxy/defaults/main.yaml b/src/roles/foreman_proxy/defaults/main.yaml index 4e4a4fe2..1d73e38b 100644 --- a/src/roles/foreman_proxy/defaults/main.yaml +++ b/src/roles/foreman_proxy/defaults/main.yaml @@ -1,4 +1,8 @@ --- +foreman_proxy_container_image: "quay.io/foreman/foreman-proxy" +foreman_proxy_container_tag: "nightly" +foreman_proxy_registry_auth_file: /etc/foreman/registry-auth.json + foreman_proxy_name: "{{ ansible_facts['fqdn'] }}" foreman_proxy_https_port: 8443 foreman_proxy_url: "https://{{ foreman_proxy_name }}:{{ foreman_proxy_https_port }}" diff --git a/src/roles/foreman_proxy/tasks/main.yaml b/src/roles/foreman_proxy/tasks/main.yaml index 47eaff73..176f3350 100644 --- a/src/roles/foreman_proxy/tasks/main.yaml +++ b/src/roles/foreman_proxy/tasks/main.yaml @@ -3,6 +3,8 @@ containers.podman.podman_image: name: "{{ foreman_proxy_container_image }}:{{ foreman_proxy_container_tag }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ foreman_proxy_registry_auth_file }}" - name: Create config secrets ansible.builtin.include_tasks: configs.yaml diff --git a/src/roles/postgresql/defaults/main.yml b/src/roles/postgresql/defaults/main.yml index aad8c585..35f579a6 100644 --- a/src/roles/postgresql/defaults/main.yml +++ b/src/roles/postgresql/defaults/main.yml @@ -1,6 +1,7 @@ --- postgresql_container_image: quay.io/sclorg/postgresql-13-c9s postgresql_container_tag: "latest" +postgresql_registry_auth_file: /etc/foreman/registry-auth.json postgresql_container_name: postgresql postgresql_network: host postgresql_restart_policy: always diff --git a/src/roles/postgresql/tasks/main.yml b/src/roles/postgresql/tasks/main.yml index ab57afe5..0187c9a4 100644 --- a/src/roles/postgresql/tasks/main.yml +++ b/src/roles/postgresql/tasks/main.yml @@ -3,6 +3,8 @@ containers.podman.podman_image: name: "{{ postgresql_container_image }}:{{ postgresql_container_tag }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ postgresql_registry_auth_file }}" - name: Create PostgreSQL storage directory ansible.builtin.file: diff --git a/src/roles/pulp/defaults/main.yaml b/src/roles/pulp/defaults/main.yaml index 23eb05d3..e2d10d8c 100644 --- a/src/roles/pulp/defaults/main.yaml +++ b/src/roles/pulp/defaults/main.yaml @@ -1,6 +1,7 @@ --- pulp_container_image: quay.io/foreman/pulp pulp_container_tag: "3.73" +pulp_registry_auth_file: /etc/foreman/registry-auth.json pulp_api_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" pulp_content_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" pulp_worker_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}" diff --git a/src/roles/pulp/tasks/main.yaml b/src/roles/pulp/tasks/main.yaml index 79b5d563..f52a438d 100644 --- a/src/roles/pulp/tasks/main.yaml +++ b/src/roles/pulp/tasks/main.yaml @@ -1,17 +1,24 @@ +--- - name: Pull the Pulp API container image containers.podman.podman_image: name: "{{ pulp_api_image }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" - name: Pull the Pulp Content container image containers.podman.podman_image: name: "{{ pulp_content_image }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" - name: Pull the Pulp Worker container image containers.podman.podman_image: name: "{{ pulp_worker_image }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ pulp_registry_auth_file }}" - name: Create Pulp storage ansible.builtin.file: diff --git a/src/roles/redis/defaults/main.yml b/src/roles/redis/defaults/main.yml index 5c0c3e14..1b0e2af3 100644 --- a/src/roles/redis/defaults/main.yml +++ b/src/roles/redis/defaults/main.yml @@ -1,3 +1,4 @@ --- redis_container_image: quay.io/sclorg/redis-6-c9s redis_container_tag: "latest" +redis_registry_auth_file: /etc/foreman/registry-auth.json diff --git a/src/roles/redis/tasks/main.yaml b/src/roles/redis/tasks/main.yaml index 441691e1..c5a82c1e 100644 --- a/src/roles/redis/tasks/main.yaml +++ b/src/roles/redis/tasks/main.yaml @@ -3,6 +3,8 @@ containers.podman.podman_image: name: "{{ redis_container_image }}:{{ redis_container_tag }}" state: present + environment: + REGISTRY_AUTH_FILE: "{{ redis_registry_auth_file }}" - name: Create directory for Redis data ansible.builtin.file: diff --git a/src/vars/defaults.yml b/src/vars/defaults.yml index 5ea8bd4c..9dbb5557 100644 --- a/src/vars/defaults.yml +++ b/src/vars/defaults.yml @@ -5,3 +5,4 @@ tuning_profile: development flavor: katello features: [] enabled_features: "{{ (flavor_features + features) }}" +registry_auth_file: "/etc/foreman/registry-auth.json"