The role currently does not have a supported way to specify image registry credentials. The only way to specify image registry credentials are with the undocumented parameters container_image_user and container_image_password parameters. The recommended way to pass registry credentials is https://issues.redhat.com/browse/RHEL-30183. But for users who want to use username/password, we should officially support this.

New parameters - podman_registry_username and podman_registry_password which are the global defaults, and registry_username and registry_password which can be specified for each kube_spec or quadlet_spec, to override the global defaults. If the user specified container_image_user and not podman_registry_username, set podman_registry_username to container_image_user. If the user specified container_image_password and not podman_registry_password, set podman_registry_password to container_image_password.

.h3 Security

Must be able to specify passwords using Ansible Vault, and tests should test this with Vault.
Must use no_log: true on any task which could log the password value, and this should be verified.

.h3 Acceptance criteria

• User can specify credentials via podman_registry_username and podman_registry_password, and on a per-spec basis with registry_username and registry_password
• If user specifies container_image_user and not podman_registry_username, set podman_registry_username to container_image_user
• If user specifies container_image_password and not podman_registry_password, set podman_registry_password to container_image_password
• The new parameters are documented in the README.md
• The parameters container_image_user and container_image_password are marked as DEPRECATED in README.md
• There are tests for the new parameters
• The tests must use Ansible Vault encryption for the password parameters
• The test runs should be verified that no password values are logged

spetros@redhat.com nkinder@redhat.com rhn-support-briasmit vrothber@redhat.com