From 562028f6612312a70be9e704c3dd92804fb073ab Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 23 May 2024 14:17:22 -0400 Subject: [PATCH] secrets: Doc credential helper In the [current architecture](https://github.com/ostreedev/ostree-rs-ext/) unfortunately it's going to be hard for us to fix this...it's explicitly by design today: https://github.com/ostreedev/ostree-rs-ext/blob/c0e8c8fe9c3344b9d349e2c9371e1335e1173bef/lib/src/container/mod.rs#L427 To handle the "credential helper only" case we'd need to enhance skopeo with something like `--no-root-homedir`. Closes: https://github.com/containers/bootc/issues/562 Signed-off-by: Colin Walters --- docs/src/building/secrets.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/src/building/secrets.md b/docs/src/building/secrets.md index b8e0d788..5f9e7656 100644 --- a/docs/src/building/secrets.md +++ b/docs/src/building/secrets.md @@ -2,7 +2,8 @@ # Secrets (e.g. container pull secrets) To have `bootc` fetch updates from registry which requires authentication, -you must include a pull secret in `/etc/ostree/auth.json`. +you must include a pull secret in `/etc/ostree/auth.json` (or +as of recent versions in `/usr/lib/ostree/auth.json`). Another common case is to also fetch container images via `podman` or equivalent. There is a [pull request to add `/etc/containers/auth.json`](https://github.com/containers/image/pull/1746) @@ -12,6 +13,13 @@ Regardless, injecting this data is a good example of a generic "secret". The bootc project does not currently include one single opinionated mechanism for secrets. +## Using a credential helper + +In order to use a credential helper as configured in `registries.conf` +such as `credential-helpers = ["ecr-login"]`, you must currently +also write a "no-op" authentication file with the contents `{}` (i.e. an +empty JSON object, not an empty file) into the pull secret location. + ## Embedding in container build This was mentioned above; you can include secrets in