The role currently allows you to configure credential-helpers in registries.conf, but it does not provide a way to specify an auth.json file or other credential source. The only way to provide credentials currently is via the undocumented and misnamed 'container_image_user' and 'container_image_password' parameters, which are global - there is no way to specify different credentials for different registries or images. The role should support passing in one or more containers-auth.json files, and check that if the user specifies 'credential-helpers' in registries.conf, those files are specified in 'podman_credential_files'. We should ensure that the auth.json can be specified encrypted with Ansible vault, and that should be tested. Note that setting credential-helpers to 'containers-auth.json' is a special, reserved value which has special handling - see man containers-auth.json for more information. The role should honor that setting and behave as described in the man page.

New parameter - podman_credential_files - this is a list of credential file items.

podman_credential_files:
  - file_src: my_auth.json
    file: auth.json
    user: $username
    mode: "0600"

will copy the file my_auth.json (looked up in the default ansible file lookup path) to the remote system /home/$username/.config/containers/auth.json.

• file_src - source to copy to the remote system - if not an absolute path, will be found using the usual ansible file lookup path (e.g. files/)
• template_src - source to template then copy - uses the ansible template: module
• file_content - you can provide the contents inline (e.g. like the content parameter of the copy module) - but use file_src and template_src for large or complex files
• file - the destination on the source - if not absolute path, then use the default directory ~/.config/containers for root and rootless. If file is not specified, use ~/.config/containers/auth.json for root and rootless.
• user - user directory for ~/.config and the owner of the file. If 'user' is not specified, then use the podman_run_as_user setting.
• mode - file mode - defaults to "0600"

The file_src, template_src, file_content, and file parameters behave just like they do in https://github.com/linux-system-roles/podman/?tab=readme-ov-file#podman_quadlet_specs

Security

We should use no_log: true for any tasks which could potentially expose the contents of these files.
We should ensure that all files containing secrets, or secret values, can be passed via Ansible Vault encrypted values/files.

Acceptance Criteria

• User can specify 'podman_credential_files' with the above parameters and behavior
• 'podman_credential_files' is documented in the README.md
• There are tests in tests/ for the above which use Ansible Vault encrypted files/values
• Confirm that no credentials values are logged

spetros@redhat.com rhn-support-briasmit nkinder@redhat.com vrothber@redhat.com