From bdec55ffc70f6496c43a1315ba79b19390ad362b Mon Sep 17 00:00:00 2001 From: uumas Date: Mon, 6 Oct 2025 16:17:27 +0300 Subject: [PATCH] Use auth file instead of creds in quadlet files --- roles/container/defaults/main.yaml | 3 --- roles/container/meta/argument_specs.yaml | 16 ---------------- roles/container/tasks/main.yaml | 2 +- roles/container/vars/main.yaml | 9 +++++++++ roles/image/defaults/main.yaml | 4 ---- roles/image/meta/argument_specs.yaml | 16 ---------------- roles/image/tasks/main.yaml | 9 +++++++-- roles/podman/tasks/main.yaml | 3 ++- roles/service/defaults/main.yaml | 4 ---- roles/service/meta/argument_specs.yaml | 16 ---------------- roles/service/tasks/additional.yaml | 1 - roles/service/tasks/main.yaml | 1 - 12 files changed, 19 insertions(+), 65 deletions(-) delete mode 100644 roles/image/defaults/main.yaml diff --git a/roles/container/defaults/main.yaml b/roles/container/defaults/main.yaml index f8d38b4..d1fa310 100644 --- a/roles/container/defaults/main.yaml +++ b/roles/container/defaults/main.yaml @@ -11,6 +11,3 @@ container_auto_start: true container_auto_update: true container_requires: [] container_wants: [] -container_image_creds: - username: "" - password: "" diff --git a/roles/container/meta/argument_specs.yaml b/roles/container/meta/argument_specs.yaml index 2c6b95d..ace3cdf 100644 --- a/roles/container/meta/argument_specs.yaml +++ b/roles/container/meta/argument_specs.yaml @@ -23,22 +23,6 @@ argument_specs: description: "The image to run in the container, in FQIN format (registry/imagename:tag)" type: str required: true - container_image_creds: - description: Credentials used to authenticate with the registry - type: dict - required: false - default: - username: "" - password: "" - options: - username: - description: Username - type: str - required: true - password: - description: Password - type: str - required: true container_mounts: description: List of bind mounts or volumes to be mounted inside the container. diff --git a/roles/container/tasks/main.yaml b/roles/container/tasks/main.yaml index dac2ece..df847c4 100644 --- a/roles/container/tasks/main.yaml +++ b/roles/container/tasks/main.yaml @@ -7,7 +7,6 @@ name: image vars: image_name: "{{ container_image }}" - image_creds: "{{ container_image_creds }}" when: image_created_images is not defined or container_image not in image_created_images - name: Create networks for container {{ container_name }} @@ -52,6 +51,7 @@ publish: "{{ container_publish_ports }}" secrets: "{{ _container_secrets }}" env: "{{ container_env }}" + label: "{{ _container_labels if _container_labels | length > 0 else omit }}" state: quadlet quadlet_file_mode: "0600" quadlet_options: "{{ _container_quadlet_options }}" diff --git a/roles/container/vars/main.yaml b/roles/container/vars/main.yaml index e983cbc..f6e496a 100644 --- a/roles/container/vars/main.yaml +++ b/roles/container/vars/main.yaml @@ -68,6 +68,15 @@ _container_secrets: >- | map('join', ',') }} +_container_labels: >- + {{ + {'io.containers.autoupdate.authfile': '/etc/containers/auth.json'} + if container_auto_update and + container_image.split('/')[0] in + podman_registry_accounts | map(attribute='registry') + else {} + }} + _container_quadlet_unit_options: | [Unit] Description=Container {{ container_name }} diff --git a/roles/image/defaults/main.yaml b/roles/image/defaults/main.yaml deleted file mode 100644 index 7e2105b..0000000 --- a/roles/image/defaults/main.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -image_creds: - username: "" - password: "" diff --git a/roles/image/meta/argument_specs.yaml b/roles/image/meta/argument_specs.yaml index d11e382..4dc8ac4 100644 --- a/roles/image/meta/argument_specs.yaml +++ b/roles/image/meta/argument_specs.yaml @@ -9,19 +9,3 @@ argument_specs: description: "The image FQIN (format registry/imagename:tag)" type: str required: true - image_creds: - description: Credentials used to authenticate with the registry - type: dict - required: false - default: - username: "" - password: "" - options: - username: - description: Username - type: str - required: true - password: - description: Password - type: str - required: true diff --git a/roles/image/tasks/main.yaml b/roles/image/tasks/main.yaml index 37c371f..a36feea 100644 --- a/roles/image/tasks/main.yaml +++ b/roles/image/tasks/main.yaml @@ -6,9 +6,14 @@ - name: Create container image service {{ image_name }} containers.podman.podman_image: name: "{{ image_name }}" - username: "{{ image_creds.username if image_creds.username | length > 0 else omit }}" - password: "{{ image_creds.password if image_creds.password | length > 0 else omit }}" state: quadlet quadlet_filename: "{{ image_name | replace('/', '_') }}" quadlet_file_mode: "0600" + quadlet_options: >- + {{ + ['AuthFile=/etc/containers/auth.json'] + if image_name.split('/')[0] in + podman_registry_accounts | map(attribute='registry') + else [] + }} notify: Reload systemd daemon diff --git a/roles/podman/tasks/main.yaml b/roles/podman/tasks/main.yaml index 02b0893..ce8411e 100644 --- a/roles/podman/tasks/main.yaml +++ b/roles/podman/tasks/main.yaml @@ -16,5 +16,6 @@ registry: "{{ item.registry }}" username: "{{ item.username }}" password: "{{ item.password }}" - authfile: /run/containers/0/auth.json + authfile: /etc/containers/auth.json loop: "{{ podman_registry_accounts }}" + no_log: true diff --git a/roles/service/defaults/main.yaml b/roles/service/defaults/main.yaml index f382cbd..93392c8 100644 --- a/roles/service/defaults/main.yaml +++ b/roles/service/defaults/main.yaml @@ -27,7 +27,3 @@ service_additional_containers: [] service_requires: [] service_wants: [] service_auto_update: true - -service_container_image_creds: - username: "" - password: "" diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml index 4fce6dc..2a6cb9a 100644 --- a/roles/service/meta/argument_specs.yaml +++ b/roles/service/meta/argument_specs.yaml @@ -66,22 +66,6 @@ argument_specs: description: "The image to run in the service container(s), in FQIN format (registry/imagename:tag)." type: str required: true - service_container_image_creds: - description: Credentials used to authenticate with the registry - type: dict - required: false - default: - username: "" - password: "" - options: - username: - description: Username - type: str - required: true - password: - description: Password - type: str - required: true service_container_user: description: The UID to run as inside the container diff --git a/roles/service/tasks/additional.yaml b/roles/service/tasks/additional.yaml index 0f0c60e..e36cd5d 100644 --- a/roles/service/tasks/additional.yaml +++ b/roles/service/tasks/additional.yaml @@ -5,7 +5,6 @@ vars: container_name: "{{ _service_additional_container.name }}" container_image: "{{ _service_additional_container.image | default(service_container_image) }}" - container_image_creds: "{{ service_container_image_creds }}" container_command: "{{ _service_additional_container.command | default([]) }}" container_user: "{{ service_container_user }}" container_mounts: "{{ _service_additional_container_mounts }}" diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml index 51873c1..8acf0df 100644 --- a/roles/service/tasks/main.yaml +++ b/roles/service/tasks/main.yaml @@ -28,7 +28,6 @@ vars: container_name: "{{ service_name }}" container_image: "{{ service_container_image }}" - container_image_creds: "{{ service_container_image_creds }}" container_command: "{{ service_container_command }}" container_user: "{{ service_container_user }}" container_mounts: "{{ _service_container_mounts }}"