We document that registry credentials are honored from /etc/ostree/auth.json, but it's easy to miss (and needs to highlighted much better) (there's also the general issue with embedding the pull secret in the image itself, cc https://github.com/containers/bootc/issues/22 )
Now when using bootc install to-filesystem with a private registry, we could add bootc install --copy-container-credentials where we go and slurp out ~/.config/containers/auth.json and inject it into the final system as /etc/ostree/auth.json.
And the original podman credentials (injected into ~/.config/containers/auth.json) could have come from e.g. cloud-init (which is arguably more secure than embedding them into the image itself).
cgwalters
commented
6 months ago
We document that registry credentials are honored from
/etc/ostree/auth.json, but it's easy to miss (and needs to highlighted much better) (there's also the general issue with embedding the pull secret in the image itself, cc https://github.com/containers/bootc/issues/22 )Now when using
bootc install to-filesystemwith a private registry, we could addbootc install --copy-container-credentialswhere we go and slurp out~/.config/containers/auth.jsonand inject it into the final system as/etc/ostree/auth.json.This way we get a flow where we
podman loginon the original hostbootc install to-filesystem --copy-container-credentialsAnd the original podman credentials (injected into
~/.config/containers/auth.json) could have come from e.g. cloud-init (which is arguably more secure than embedding them into the image itself).