Merge pull request #26692 from giuseppe/add-certdir-creds-to-podman-create-run

podman: add --creds and --cert-dir to create/run
2025-10-18 19:53:58 +08:00 · 2025-07-28 20:21:22 +00:00
parent d4fb80e6ce 7f2908afcf
commit a9ed97d4cf
8 changed files with 70 additions and 2 deletions
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@ -529,8 +529,24 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 				"`Pathname` of signature policy file (not usually used)",
 			)
 			_ = createFlags.MarkHidden("signature-policy")
+
+			certDirFlagName := "cert-dir"
+			createFlags.StringVar(
+				&cf.CertDir,
+				certDirFlagName, "",
+				"`Pathname` of a directory containing TLS certificates and keys",
+			)
+			_ = cmd.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault)
 		}

+		credsFlagName := "creds"
+		createFlags.StringVar(
+			&cf.Creds,
+			credsFlagName, "",
+			"`credentials` (USERNAME:PASSWORD) to use for authenticating to a registry",
+		)
+		_ = cmd.RegisterFlagCompletionFunc(credsFlagName, completion.AutocompleteDefault)
+
 		createFlags.BoolVar(
 			&cf.Replace,
 			"replace", false,
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@ -384,6 +384,7 @@ func pullImage(cmd *cobra.Command, imageName string, cliVals *entities.Container
 		PullPolicy:       pullPolicy,
 		SkipTLSVerify:    skipTLSVerify,
 		OciDecryptConfig: decConfig,
+		CertDir:          cliVals.CertDir,
 	}

 	if cmd.Flags().Changed("retry") {
@ -404,6 +405,15 @@ func pullImage(cmd *cobra.Command, imageName string, cliVals *entities.Container
 		pullOptions.RetryDelay = val
 	}

+	if cliVals.Creds != "" {
+		creds, err := util.ParseRegistryCreds(cliVals.Creds)
+		if err != nil {
+			return "", err
+		}
+		pullOptions.Username = creds.Username
+		pullOptions.Password = creds.Password
+	}
+
 	pullReport, pullErr := registry.ImageEngine().Pull(registry.Context(), imageName, pullOptions)
 	if pullErr != nil {
 		return "", pullErr
--- a/docs/source/markdown/options/cert-dir.md
+++ b/docs/source/markdown/options/cert-dir.md
@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman artifact pull, artifact push, build, container runlabel, farm build, image sign, kube play, login, manifest add, manifest push, pull, push, search
+####>   podman artifact pull, artifact push, build, container runlabel, create, farm build, image sign, kube play, login, manifest add, manifest push, pull, push, run, search
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--cert-dir**=*path*
--- a/docs/source/markdown/options/creds.md
+++ b/docs/source/markdown/options/creds.md
@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman artifact pull, artifact push, build, container runlabel, farm build, kube play, manifest add, manifest push, pull, push, search
+####>   podman artifact pull, artifact push, build, container runlabel, create, farm build, kube play, manifest add, manifest push, pull, push, run, search
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--creds**=*[username[:password]]*
--- a/docs/source/markdown/podman-create.1.md.in
+++ b/docs/source/markdown/podman-create.1.md.in
@ -83,6 +83,8 @@ and specified with a _tag_.

@@option cap-drop

+@@option cert-dir
+
@@option cgroup-conf

@@option cgroup-parent
@ -113,6 +115,8 @@ and specified with a _tag_.

@@option cpuset-mems

+@@option creds
+
@@option decryption-key

@@option device
--- a/docs/source/markdown/podman-run.1.md.in
+++ b/docs/source/markdown/podman-run.1.md.in
@ -102,6 +102,8 @@ and specified with a _tag_.

@@option cap-drop

+@@option cert-dir
+
@@option cgroup-conf

@@option cgroup-parent
@ -132,6 +134,8 @@ and specified with a _tag_.

@@option cpuset-mems

+@@option creds
+
@@option decryption-key

 #### **--detach**, **-d**
--- a/pkg/domain/entities/pods.go
+++ b/pkg/domain/entities/pods.go
@ -266,6 +266,8 @@ type ContainerCreateOptions struct {
 	IsInfra              bool
 	IsClone              bool
 	DecryptionKeys       []string
+	CertDir              string
+	Creds                string
 	Net                  *NetOptions `json:"net,omitempty"`

 	CgroupConf []string
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@ -2,6 +2,7 @@

 load helpers
 load helpers.network
+load helpers.registry

 # bats test_tags=distro-integration, ci:parallel
@test "podman run - basic tests" {
@ -1854,4 +1855,35 @@ EOF
    run_podman rm -f $c1name $c2name
 }

+# bats test_tags=networking,registry
+@test "podman run with --cert-dir" {
+    skip_if_remote "cert-dir option not working via remote"
+
+    test -n "$PODMAN_LOGIN_REGISTRY_PORT" || skip "registry not set up"
+
+    start_registry
+
+    image=localhost:${PODMAN_LOGIN_REGISTRY_PORT}/cert-dir-run-test-$(safename)
+
+    # First push an image to our test registry
+    run_podman push \
+               --cert-dir ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir \
+               --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
+               $IMAGE $image
+
+    # Run without --cert-dir should fail (TLS verification error)
+    run_podman 125 run --rm \
+               --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
+               $image echo "this should fail"
+
+    # Run with --cert-dir should succeed (will pull the image)
+    run_podman run --rm \
+               --cert-dir ${PODMAN_LOGIN_WORKDIR}/trusted-registry-cert-dir \
+               --creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
+               $image true
+
+    # Clean up, and it would fail if the $image was not pulled
+    run_podman rmi $image
+}
+
 # vim: filetype=sh