Add secret support to podman login #19200
Conversation
openshift-ci
bot
added
release-note
approved
|
@kriansa PTAL |
|
@ashley-cui @vrothberg PTAL |
|
@alexlarsson @ygalblum This is my idea for how quadlet could handle registry secrets, In pre section of the quadlet, do a ExecStartPre=podman login --secret secret registryfor.image.in.quadlet |
test/system/150-login.bats
Outdated
| "output from podman logout" | ||
| run_podman secret rm $secret | ||
|
|
||
| # test using secred id as --username |
There was a problem hiding this comment.
nit of a nit
| # test using secred id as --username | |
| # test using secret id as --username |
test/system/150-login.bats
Outdated
|
|
||
| run_podman login --tls-verify=false \ | ||
| --username ${PODMAN_LOGIN_USER} \ | ||
| --secret ${output} \ |
There was a problem hiding this comment.
This squicks me out a little: first, it's not immediately obvious what $output is, second, it would be so easy to accidentally insert a run_podman load or run or something. Suggestion: add secretid=$output immediately after the secret create. Otherwise LGTM. with @TomSweeneyRedHat's suggestions.
cmd/podman/login.go
Outdated
| @@ -48,7 +51,8 @@ func init() { | |||
| completion.CompleteCommandFlags(loginCommand, auth.GetLoginFlagsCompletions()) | |||
|
|
|||
| // Podman flags. | |||
| flags.BoolVarP(&loginOptions.tlsVerify, "tls-verify", "", false, "Require HTTPS and verify certificates when contacting registries") | |||
| flags.BoolVar(&loginOptions.tlsVerify, "tls-verify", false, "Require HTTPS and verify certificates when contacting registries") | |||
| flags.String("secret", "", "retrieve passwd from secret file") | |||
There was a problem hiding this comment.
| flags.String("secret", "", "retrieve passwd from secret file") | |
| flags.String("secret", "", "Retrieve password from podman secret") |
| @@ -18,6 +18,8 @@ TLS certificates and keys, SSH keys or other important generic strings or binary | |||
|
|
|||
| Secrets are not committed to an image with `podman commit`, and does not get committed in the archive created by a `podman export` command. | |||
|
|
|||
| You can also use secrets to store secret data whcih can be used by `podman login` to authenticate to container registries. | |||
There was a problem hiding this comment.
| You can also use secrets to store secret data whcih can be used by `podman login` to authenticate to container registries. | |
| You can also use secrets to store passwords for `podman login` to authenticate against container registries. |
cmd/podman/login.go
Outdated
| @@ -48,7 +51,8 @@ func init() { | |||
| completion.CompleteCommandFlags(loginCommand, auth.GetLoginFlagsCompletions()) | |||
|
|
|||
| // Podman flags. | |||
| flags.BoolVarP(&loginOptions.tlsVerify, "tls-verify", "", false, "Require HTTPS and verify certificates when contacting registries") | |||
| flags.BoolVar(&loginOptions.tlsVerify, "tls-verify", false, "Require HTTPS and verify certificates when contacting registries") | |||
| flags.String("secret", "", "retrieve passwd from secret file") | |||
There was a problem hiding this comment.
missing autocompletion function, this should complete secrets AutocompleteSecrets()
About the Quadlet integration, not sure I like it because the login and logout operations are not specific to the quadlet. As a result, if you have two services logging in to the same registry it can become a mess. I see two possible issues. First, different credentials to the same registry. Second, while both services are running, stopping one of them will logout from the registry. So, for Quadlet, I think it's better to support a new unit type e.g. |
Signed-off-by: Daniel J Walsh <[email protected]>
|
Sure, I was just giving an example of how you could use it. Probably would be fine to just do the ExecPreStart and never remove the secret, since on reboot the secret will be removed, and the secret is already stored on disk in a simple base64 encoding so there is no additional security risk to leaving it around. |
Co-authored-by: Ashley Cui <[email protected]> Signed-off-by: Daniel J Walsh <[email protected]>
|
@vrothberg @giuseppe @Luap99 @TomSweeneyRedHat @containers/podman-maintainers PTAL |
|
LGTM |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
github-actions
bot
added
the
locked - please file new issue/PR
Does this PR introduce a user-facing change?
Fixes: #18667