From 44584c68f186b331042aa74af764b1ff2082b8a4 Mon Sep 17 00:00:00 2001 From: Joakim Date: Tue, 16 Dec 2025 00:53:42 +0100 Subject: [PATCH] Add GitHub Container Registry authentication to Podman role - Deploy /etc/containers/auth.json with GHCR credentials - Support for private container image pulls - Credentials encrypted in Ansible vault - Used by devigo and other services pulling from private registries - Updated documentation with authentication setup --- roles/podman/README.md | 21 ++++++++++++++++++++ roles/podman/tasks/main.yml | 24 +++++++++++++++++++++++ roles/podman/templates/containers.conf.j2 | 5 ++++- 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/roles/podman/README.md b/roles/podman/README.md index 5122d9d..317c743 100644 --- a/roles/podman/README.md +++ b/roles/podman/README.md @@ -34,6 +34,27 @@ Podman is deployed as a system-level infrastructure service that provides contai All registries configured with HTTPS-only, no insecure connections allowed. +### **Private Registry Authentication:** +For private container images (e.g., from GitHub Container Registry), this role deploys authentication credentials: + +- **Auth file**: `/etc/containers/auth.json` (system-wide, for root containers) +- **Permissions**: 0600 (root:root only) +- **Credentials**: Stored encrypted in Ansible Vault +- **Automatic**: Quadlet containers automatically use authentication when pulling images + +**Configuration:** +```yaml +# In group_vars/production/vault.yml (encrypted) +vault_github_username: "your-username" +vault_github_token: "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + +# In group_vars/production/main.yml +github_username: "{{ vault_github_username }}" +github_token: "{{ vault_github_token }}" +``` + +When these variables are defined, the role automatically deploys authentication for ghcr.io. + ## Application Integration Applications should create service-specific users and manage their own container deployments: diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml index 78fbfa1..96c7922 100644 --- a/roles/podman/tasks/main.yml +++ b/roles/podman/tasks/main.yml @@ -61,6 +61,29 @@ changed_when: false failed_when: false +# ================================================================= +# Container Registry Authentication +# ================================================================= +# Deploy system-wide authentication for private container registries +# Currently supports: GitHub Container Registry (ghcr.io) + +- name: Deploy GitHub Container Registry authentication + copy: + content: | + { + "auths": { + "ghcr.io": { + "auth": "{{ (github_username + ':' + github_token) | b64encode }}" + } + } + } + dest: /etc/containers/auth.json + mode: '0600' + owner: root + group: root + when: github_username is defined and github_token is defined + no_log: true # Don't log sensitive authentication data + - name: Display Podman infrastructure status debug: msg: | @@ -70,6 +93,7 @@ 🔒 Security: Rootless container runtime enabled 📦 Registries: {{ podman_registries | join(', ') }} 🏗️ Storage: {{ 'overlay' if 'overlay' in podman_system_info.stdout else 'system default' }} + 🔑 Auth: {{ 'GitHub Container Registry configured' if (github_username is defined and github_token is defined) else 'No private registry auth' }} 🚀 Ready for containerized applications! diff --git a/roles/podman/templates/containers.conf.j2 b/roles/podman/templates/containers.conf.j2 index f99777a..4518e7d 100644 --- a/roles/podman/templates/containers.conf.j2 +++ b/roles/podman/templates/containers.conf.j2 @@ -19,6 +19,9 @@ network_backend = "netavark" # Default network for new containers default_network = "{{ podman_default_network }}" +# For signing into ghcr.io +auth_file = "/etc/containers/auth.json" + # ================================================================= # Storage Configuration # ================================================================= @@ -64,4 +67,4 @@ default_subnet_pools = [ # - Create service-specific users for container isolation # - Use quadlet files for systemd integration # - Create custom networks for multi-container applications -# - Access host services via host.containers.internal \ No newline at end of file +# - Access host services via host.containers.internal