Add support for authenticated registries #245

pablomh · 2026-01-20T18:15:53Z

Maybe drop the " to keep consistency with the rest of vars files.

-Original file line number
+Diff line change
@@ Expand Up / @@ -44,25 +44,27 @@ A deployment can have multiple base features enabled. @@
     ### Authenticated Registry Handling
-    In the non-default case where the image sources are supplied from an authenticated location users will need to inject a login step.
-    For example, users might be consuming a custom build of the Foreman image.
+    If you need to pull images from private or authenticated container registries, you can configure registry authentication using Podman's auth file.
-    In this case, the happy path becomes:
+    #### Setting up Registry Authentication
-. Configure package repository
-. Install `foremanctl` package
-. Run deployment utility and provide registry username and token
+. **Login to your registry** using Podman and save credentials to the default auth file location:
+    ```bash
+    podman login <registry> --authfile=/etc/foreman/registry-auth.json
+    ```
-    The advanced path breaks down to:
+. **Ensure proper permissions** on the auth file:
+    ```bash
+    sudo chmod 600 /etc/foreman/registry-auth.json
+    sudo chown root:root /etc/foreman/registry-auth.json
+    ```
-. Configure package repository
-. Install `foremanctl` package
-. Login to registry with podman
-. Pull images
-. Generate certificates
-. Execute pre-requisite checks
-. Run deployment utility
-. Post deploy checks
+. **Deploy as usual** - foremanctl will automatically detect and use the authentication file:
+    ```bash
+    ./foremanctl deploy
+    ```
+    This approach integrates seamlessly with both the happy path and advanced deployment paths described above. The authentication is handled transparently during image pulling operations.
     ## Deployer Stages
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,27 +8,30 @@ @@
         - "../../vars/images.yml"
         - "../../vars/base.yaml"
       become: true
-      tasks:
-        - name: Install podman
-          ansible.builtin.package:
-            name:
-              - podman
+      roles:
+        - role: pre_install
+      post_tasks:
         - name: Pull an image
           containers.podman.podman_image:
             name: "{{ item }}"
+          environment:
+            REGISTRY_AUTH_FILE: "{{ registry_auth_file }}"
           loop: "{{ images }}"
         - name: Pull foreman_proxy images
           containers.podman.podman_image:
             name: "{{ item }}"
+          environment:
+            REGISTRY_AUTH_FILE: "{{ registry_auth_file }}"
           loop: "{{ foreman_proxy_images }}"
           when:
             - "'foreman-proxy' in enabled_features"
         - name: Pull database images
           containers.podman.podman_image:
             name: "{{ item }}"
+          environment:
+            REGISTRY_AUTH_FILE: "{{ registry_auth_file }}"
           loop: "{{ database_images }}"
           when:
             - database_mode == 'internal'

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,7 @@ candlepin_ciphers: @@
       - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
     candlepin_container_image: quay.io/foreman/candlepin
     candlepin_container_tag: "4.4.14"
+    candlepin_registry_auth_file: /etc/foreman/registry-auth.json
     candlepin_database_host: localhost
     candlepin_database_port: 5432
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -55,6 +55,8 @@ @@
       containers.podman.podman_image:
         name: "{{ candlepin_container_image }}:{{ candlepin_container_tag }}"
         state: present
+      environment:
+        REGISTRY_AUTH_FILE: "{{ candlepin_registry_auth_file }}"
     - name: Deploy Candlepin quadlet
       containers.podman.podman_container:
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,6 +1,7 @@
     ---
     foreman_container_image: "quay.io/foreman/foreman"
     foreman_container_tag: "nightly"
+    foreman_registry_auth_file: /etc/foreman/registry-auth.json
     foreman_database_name: foreman
     foreman_database_user: foreman
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for authenticated registries #245

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

pablomh Jan 20, 2026

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,8 @@ @@
       containers.podman.podman_image:
         name: "{{ foreman_container_image }}:{{ foreman_container_tag }}"
         state: present
+      environment:
+        REGISTRY_AUTH_FILE: "{{ foreman_registry_auth_file }}"
     - name: Create secret for DATABASE_URL
       containers.podman.podman_secret:
@@ Expand Down Expand Up / @@ -224,8 +226,7 @@ @@
           - bin/rails db:migrate && bin/rails db:seed
         detach: false
         network: host
-        env:
-          FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}"
+        env: "{{ {'FOREMAN_ENABLED_PLUGINS': foreman_plugins | join(' ')} }}"
         secrets:
           - 'foreman-database-url,type=env,target=DATABASE_URL'
           - 'foreman-seed-admin-user,type=env,target=SEED_ADMIN_USER'
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,4 +1,8 @@
     ---
+    foreman_proxy_container_image: "quay.io/foreman/foreman-proxy"
+    foreman_proxy_container_tag: "nightly"
+    foreman_proxy_registry_auth_file: /etc/foreman/registry-auth.json
     foreman_proxy_name: "{{ ansible_facts['fqdn'] }}"
     foreman_proxy_https_port: 8443
     foreman_proxy_url: "https://{{ foreman_proxy_name }}:{{ foreman_proxy_https_port }}"
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,6 +1,7 @@
     ---
     postgresql_container_image: quay.io/sclorg/postgresql-13-c9s
     postgresql_container_tag: "latest"
+    postgresql_registry_auth_file: /etc/foreman/registry-auth.json
     postgresql_container_name: postgresql
     postgresql_network: host
     postgresql_restart_policy: always
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,6 +1,7 @@
     ---
     pulp_container_image: quay.io/foreman/pulp
     pulp_container_tag: "3.73"
+    pulp_registry_auth_file: /etc/foreman/registry-auth.json
     pulp_api_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
     pulp_content_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
     pulp_worker_image: "{{ pulp_container_image }}:{{ pulp_container_tag }}"
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,3 +1,4 @@
     ---
     redis_container_image: quay.io/sclorg/redis-6-c9s
     redis_container_tag: "latest"
+    redis_registry_auth_file: /etc/foreman/registry-auth.json

-Original file line number
+Diff line change
@@ Expand Up / @@ -5,3 +5,4 @@ tuning_profile: development @@
     flavor: katello
     features: []
     enabled_features: "{{ (flavor_features + features) }}"
+    registry_auth_file: "/etc/foreman/registry-auth.json"

Add support for authenticated registries #245

Are you sure you want to change the base?

Add support for authenticated registries #245

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

pablomh Jan 20, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!